From b4a78ad40d05d4841c0e095d5fbb49b9da59684e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 27 2012 14:32:49 +0000 Subject: - Add systemd_logind_inhibit_var_run_t attribute - Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type - Add interface for mysqld to dontaudit signull to all processes - Label new /var/run/journal directory correctly - Allow users to inhibit suspend via systemd - Add new type for the /var/run/inhibit directory - Add interface to send signull to systemd_login so avahi can send them - Allow systemd_passwd to send syslog messages - Remove corenet_all_recvfrom_unlabeled() calling fro policy files - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labeling for passenger - Allow dbus to inhibit suspend via systemd - Allow avahi to send signull to systemd_login --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 4eeafb0..9974c2b 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -60,7 +60,7 @@ index 313d837..ef3c532 100644 ######################################## diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8 new file mode 100644 -index 0000000..5b84384 +index 0000000..51564ee --- /dev/null +++ b/man/man8/NetworkManager_selinux.8 @@ -0,0 +1,175 @@ @@ -196,7 +196,7 @@ index 0000000..5b84384 +/var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/wpa_supplicant-global, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -241,7 +241,7 @@ index 0000000..5b84384 +selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8 new file mode 100644 -index 0000000..94f9d06 +index 0000000..867cd65 --- /dev/null +++ b/man/man8/abrt_selinux.8 @@ -0,0 +1,272 @@ @@ -258,7 +258,7 @@ index 0000000..94f9d06 + + +.PP -+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event script, you must turn on the abrt_handle_event boolean. ++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. + +.EX +.B setsebool -P abrt_handle_event 1 @@ -470,7 +470,7 @@ index 0000000..94f9d06 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -520,7 +520,7 @@ index 0000000..94f9d06 \ No newline at end of file diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8 new file mode 100644 -index 0000000..bf2e9e9 +index 0000000..55527ac --- /dev/null +++ b/man/man8/accountsd_selinux.8 @@ -0,0 +1,103 @@ @@ -584,7 +584,7 @@ index 0000000..bf2e9e9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -629,7 +629,7 @@ index 0000000..bf2e9e9 +selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8 new file mode 100644 -index 0000000..66a28c5 +index 0000000..c9969dc --- /dev/null +++ b/man/man8/acct_selinux.8 @@ -0,0 +1,103 @@ @@ -693,7 +693,7 @@ index 0000000..66a28c5 +/usr/sbin/accton, /sbin/accton, /etc/cron\.(daily|monthly)/acct + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -738,7 +738,7 @@ index 0000000..66a28c5 +selinux(8), acct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8 new file mode 100644 -index 0000000..e64fee6 +index 0000000..8532575 --- /dev/null +++ b/man/man8/afs_selinux.8 @@ -0,0 +1,292 @@ @@ -908,7 +908,7 @@ index 0000000..e64fee6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1036,7 +1036,7 @@ index 0000000..e64fee6 +selinux(8), afs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8 new file mode 100644 -index 0000000..0125c48 +index 0000000..22de53e --- /dev/null +++ b/man/man8/aiccu_selinux.8 @@ -0,0 +1,97 @@ @@ -1094,7 +1094,7 @@ index 0000000..0125c48 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1139,7 +1139,7 @@ index 0000000..0125c48 +selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8 new file mode 100644 -index 0000000..bc35581 +index 0000000..a19000b --- /dev/null +++ b/man/man8/aide_selinux.8 @@ -0,0 +1,93 @@ @@ -1190,10 +1190,10 @@ index 0000000..bc35581 +.br +.TP 5 +Paths: -+/var/log/aide\.log, /var/log/aide(/.*)? ++/var/log/aide\.log.*, /var/log/aide(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1238,7 +1238,7 @@ index 0000000..bc35581 +selinux(8), aide(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8 new file mode 100644 -index 0000000..a60f9af +index 0000000..486bfb7 --- /dev/null +++ b/man/man8/aisexec_selinux.8 @@ -0,0 +1,135 @@ @@ -1334,7 +1334,7 @@ index 0000000..a60f9af + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1379,7 +1379,7 @@ index 0000000..a60f9af +selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8 new file mode 100644 -index 0000000..8f28524 +index 0000000..3cc4a68 --- /dev/null +++ b/man/man8/ajaxterm_selinux.8 @@ -0,0 +1,129 @@ @@ -1443,7 +1443,7 @@ index 0000000..8f28524 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1514,7 +1514,7 @@ index 0000000..8f28524 +selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8 new file mode 100644 -index 0000000..bd81e5b +index 0000000..f44b609 --- /dev/null +++ b/man/man8/alsa_selinux.8 @@ -0,0 +1,135 @@ @@ -1610,7 +1610,7 @@ index 0000000..bd81e5b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1655,7 +1655,7 @@ index 0000000..bd81e5b +selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8 new file mode 100644 -index 0000000..d765f49 +index 0000000..8a4105d --- /dev/null +++ b/man/man8/amanda_selinux.8 @@ -0,0 +1,231 @@ @@ -1819,7 +1819,7 @@ index 0000000..d765f49 +/var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1892,7 +1892,7 @@ index 0000000..d765f49 +selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8 new file mode 100644 -index 0000000..ebcadc1 +index 0000000..a860e6a --- /dev/null +++ b/man/man8/amavis_selinux.8 @@ -0,0 +1,204 @@ @@ -2001,7 +2001,7 @@ index 0000000..ebcadc1 +.br +.TP 5 +Paths: -+/var/lib/amavis(/.*)?, /var/amavis(/.*)? ++/var/lib/amavis(/.*)?, /var/opt/f-secure(/.*)?, /var/amavis(/.*)? + +.EX +.PP @@ -2020,7 +2020,7 @@ index 0000000..ebcadc1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2102,7 +2102,7 @@ index 0000000..ebcadc1 +selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8 new file mode 100644 -index 0000000..fe1dc7f +index 0000000..2f99a72 --- /dev/null +++ b/man/man8/amtu_selinux.8 @@ -0,0 +1,73 @@ @@ -2136,7 +2136,7 @@ index 0000000..fe1dc7f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2181,7 +2181,7 @@ index 0000000..fe1dc7f +selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8 new file mode 100644 -index 0000000..068751c +index 0000000..6c86648 --- /dev/null +++ b/man/man8/apcupsd_selinux.8 @@ -0,0 +1,157 @@ @@ -2271,7 +2271,7 @@ index 0000000..068751c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2344,7 +2344,7 @@ index 0000000..068751c +selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8 new file mode 100644 -index 0000000..dbcd6c3 +index 0000000..d6b5395 --- /dev/null +++ b/man/man8/apm_selinux.8 @@ -0,0 +1,143 @@ @@ -2448,7 +2448,7 @@ index 0000000..dbcd6c3 +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2493,7 +2493,7 @@ index 0000000..dbcd6c3 +selinux(8), apm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8 new file mode 100644 -index 0000000..0683b40 +index 0000000..ce243b5 --- /dev/null +++ b/man/man8/apmd_selinux.8 @@ -0,0 +1,135 @@ @@ -2589,7 +2589,7 @@ index 0000000..0683b40 +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2634,7 +2634,7 @@ index 0000000..0683b40 +selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8 new file mode 100644 -index 0000000..7be1bb4 +index 0000000..7a26123 --- /dev/null +++ b/man/man8/arpwatch_selinux.8 @@ -0,0 +1,131 @@ @@ -2726,7 +2726,7 @@ index 0000000..7be1bb4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2771,7 +2771,7 @@ index 0000000..7be1bb4 +selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8 new file mode 100644 -index 0000000..2b02b78 +index 0000000..7cf9e0a --- /dev/null +++ b/man/man8/asterisk_selinux.8 @@ -0,0 +1,179 @@ @@ -2883,7 +2883,7 @@ index 0000000..2b02b78 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2956,7 +2956,7 @@ index 0000000..2b02b78 +selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8 new file mode 100644 -index 0000000..b3fc950 +index 0000000..3ad89dc --- /dev/null +++ b/man/man8/audisp_selinux.8 @@ -0,0 +1,111 @@ @@ -3028,7 +3028,7 @@ index 0000000..b3fc950 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3144,7 +3144,7 @@ index 0000000..cba947e +selinux(8), semanage(8). diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8 new file mode 100644 -index 0000000..b939685 +index 0000000..3b2ace8 --- /dev/null +++ b/man/man8/auditctl_selinux.8 @@ -0,0 +1,77 @@ @@ -3182,7 +3182,7 @@ index 0000000..b939685 +/sbin/auditctl, /usr/sbin/auditctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3227,7 +3227,7 @@ index 0000000..b939685 +selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8 new file mode 100644 -index 0000000..6f8783b +index 0000000..d3f0e92 --- /dev/null +++ b/man/man8/auditd_selinux.8 @@ -0,0 +1,165 @@ @@ -3327,7 +3327,7 @@ index 0000000..6f8783b +/var/run/audit_events, /var/run/auditd_sock, /var/run/auditd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3398,7 +3398,7 @@ index 0000000..6f8783b +selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8 new file mode 100644 -index 0000000..31985a4 +index 0000000..df152ca --- /dev/null +++ b/man/man8/automount_selinux.8 @@ -0,0 +1,139 @@ @@ -3498,7 +3498,7 @@ index 0000000..31985a4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3543,7 +3543,7 @@ index 0000000..31985a4 +selinux(8), automount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8 new file mode 100644 -index 0000000..97fc5cf +index 0000000..ea58fab --- /dev/null +++ b/man/man8/avahi_selinux.8 @@ -0,0 +1,138 @@ @@ -3560,7 +3560,7 @@ index 0000000..97fc5cf + + +.PP -+If you want to allow Apache to communicate with avahi service via dbu, you must turn on the httpd_dbus_avahi boolean. ++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. + +.EX +.B setsebool -P httpd_dbus_avahi 1 @@ -3638,7 +3638,7 @@ index 0000000..97fc5cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3688,7 +3688,7 @@ index 0000000..97fc5cf \ No newline at end of file diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8 new file mode 100644 -index 0000000..37d4a5d +index 0000000..a8d07a7 --- /dev/null +++ b/man/man8/awstats_selinux.8 @@ -0,0 +1,89 @@ @@ -3738,7 +3738,7 @@ index 0000000..37d4a5d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3783,7 +3783,7 @@ index 0000000..37d4a5d +selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8 new file mode 100644 -index 0000000..b1f3146 +index 0000000..d1b1086 --- /dev/null +++ b/man/man8/bcfg2_selinux.8 @@ -0,0 +1,119 @@ @@ -3863,7 +3863,7 @@ index 0000000..b1f3146 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3908,7 +3908,7 @@ index 0000000..b1f3146 +selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8 new file mode 100644 -index 0000000..4d6b678 +index 0000000..48184bf --- /dev/null +++ b/man/man8/bitlbee_selinux.8 @@ -0,0 +1,143 @@ @@ -4012,7 +4012,7 @@ index 0000000..4d6b678 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4057,7 +4057,7 @@ index 0000000..4d6b678 +selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8 new file mode 100644 -index 0000000..be40148 +index 0000000..e108b84 --- /dev/null +++ b/man/man8/blktap_selinux.8 @@ -0,0 +1,100 @@ @@ -4114,7 +4114,7 @@ index 0000000..be40148 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4164,7 +4164,7 @@ index 0000000..be40148 \ No newline at end of file diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8 new file mode 100644 -index 0000000..50e8fa0 +index 0000000..959caf2 --- /dev/null +++ b/man/man8/blueman_selinux.8 @@ -0,0 +1,95 @@ @@ -4220,7 +4220,7 @@ index 0000000..50e8fa0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4265,7 +4265,7 @@ index 0000000..50e8fa0 +selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8 new file mode 100644 -index 0000000..7f82ebf +index 0000000..bf19998 --- /dev/null +++ b/man/man8/bluetooth_selinux.8 @@ -0,0 +1,202 @@ @@ -4282,7 +4282,7 @@ index 0000000..7f82ebf + + +.PP -+If you want to allow xguest to use blue tooth device, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. + +.EX +.B setsebool -P xguest_use_bluetooth 1 @@ -4424,7 +4424,7 @@ index 0000000..7f82ebf +/var/run/bluetoothd_address, /var/run/sdp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4474,7 +4474,7 @@ index 0000000..7f82ebf \ No newline at end of file diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8 new file mode 100644 -index 0000000..685379f +index 0000000..a5fad86 --- /dev/null +++ b/man/man8/boinc_selinux.8 @@ -0,0 +1,178 @@ @@ -4576,7 +4576,7 @@ index 0000000..685379f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4658,7 +4658,7 @@ index 0000000..685379f +selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8 new file mode 100644 -index 0000000..eec1cec +index 0000000..6a3deb4 --- /dev/null +++ b/man/man8/bootloader_selinux.8 @@ -0,0 +1,134 @@ @@ -4675,7 +4675,7 @@ index 0000000..eec1cec + + +.PP -+If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. + +.EX +.B setsebool -P xdm_exec_bootloader 1 @@ -4749,7 +4749,7 @@ index 0000000..eec1cec + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4799,7 +4799,7 @@ index 0000000..eec1cec \ No newline at end of file diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8 new file mode 100644 -index 0000000..c101394 +index 0000000..dbbebfb --- /dev/null +++ b/man/man8/brctl_selinux.8 @@ -0,0 +1,73 @@ @@ -4833,7 +4833,7 @@ index 0000000..c101394 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4878,7 +4878,7 @@ index 0000000..c101394 +selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8 new file mode 100644 -index 0000000..ae12188 +index 0000000..9043116 --- /dev/null +++ b/man/man8/cachefilesd_selinux.8 @@ -0,0 +1,85 @@ @@ -4924,7 +4924,7 @@ index 0000000..ae12188 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4969,7 +4969,7 @@ index 0000000..ae12188 +selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8 new file mode 100644 -index 0000000..49eff66 +index 0000000..61353ef --- /dev/null +++ b/man/man8/calamaris_selinux.8 @@ -0,0 +1,103 @@ @@ -5033,7 +5033,7 @@ index 0000000..49eff66 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5078,7 +5078,7 @@ index 0000000..49eff66 +selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8 new file mode 100644 -index 0000000..c6d08e9 +index 0000000..5966166 --- /dev/null +++ b/man/man8/callweaver_selinux.8 @@ -0,0 +1,127 @@ @@ -5166,7 +5166,7 @@ index 0000000..c6d08e9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5211,7 +5211,7 @@ index 0000000..c6d08e9 +selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8 new file mode 100644 -index 0000000..82b8b66 +index 0000000..b6eda1f --- /dev/null +++ b/man/man8/canna_selinux.8 @@ -0,0 +1,121 @@ @@ -5293,7 +5293,7 @@ index 0000000..82b8b66 +/var/run/\.iroha_unix/.*, /var/run/wnn-unix(/.*)?, /var/run/\.iroha_unix + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5338,7 +5338,7 @@ index 0000000..82b8b66 +selinux(8), canna(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8 new file mode 100644 -index 0000000..9b896dc +index 0000000..d3e6992 --- /dev/null +++ b/man/man8/cardmgr_selinux.8 @@ -0,0 +1,113 @@ @@ -5412,7 +5412,7 @@ index 0000000..9b896dc +/var/run/cardmgr\.pid, /var/run/stab, /var/lib/pcmcia(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5457,7 +5457,7 @@ index 0000000..9b896dc +selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8 new file mode 100644 -index 0000000..e068e54 +index 0000000..3eb68f4 --- /dev/null +++ b/man/man8/ccs_selinux.8 @@ -0,0 +1,121 @@ @@ -5539,7 +5539,7 @@ index 0000000..e068e54 +/var/run/cluster/ccsd\.pid, /var/run/cluster/ccsd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5584,7 +5584,7 @@ index 0000000..e068e54 +selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8 new file mode 100644 -index 0000000..34e2704 +index 0000000..9cf6042 --- /dev/null +++ b/man/man8/cdcc_selinux.8 @@ -0,0 +1,95 @@ @@ -5640,7 +5640,7 @@ index 0000000..34e2704 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5685,7 +5685,7 @@ index 0000000..34e2704 +selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8 new file mode 100644 -index 0000000..85cb1a9 +index 0000000..48d9d17 --- /dev/null +++ b/man/man8/cdrecord_selinux.8 @@ -0,0 +1,92 @@ @@ -5702,7 +5702,7 @@ index 0000000..85cb1a9 + + +.PP -+If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content file, you must turn on the cdrecord_read_content boolean. ++If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean. + +.EX +.B setsebool -P cdrecord_read_content 1 @@ -5734,7 +5734,7 @@ index 0000000..85cb1a9 +/usr/bin/cdrecord, /usr/bin/wodim, /usr/bin/growisofs + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5784,7 +5784,7 @@ index 0000000..85cb1a9 \ No newline at end of file diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8 new file mode 100644 -index 0000000..66afecb +index 0000000..ad180e1 --- /dev/null +++ b/man/man8/certmaster_selinux.8 @@ -0,0 +1,153 @@ @@ -5872,7 +5872,7 @@ index 0000000..66afecb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5943,7 +5943,7 @@ index 0000000..66afecb +selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8 new file mode 100644 -index 0000000..a543011 +index 0000000..a40b2c3 --- /dev/null +++ b/man/man8/certmonger_selinux.8 @@ -0,0 +1,119 @@ @@ -6023,7 +6023,7 @@ index 0000000..a543011 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6040,7 +6040,7 @@ index 0000000..a543011 +The following process types are defined for certmonger: + +.EX -+.B certmonger_unconfined_t, certmonger_t ++.B certmonger_t +.EE +.PP +Note: @@ -6068,7 +6068,7 @@ index 0000000..a543011 +selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8 new file mode 100644 -index 0000000..089cf20 +index 0000000..1926b29 --- /dev/null +++ b/man/man8/certwatch_selinux.8 @@ -0,0 +1,73 @@ @@ -6102,7 +6102,7 @@ index 0000000..089cf20 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6147,7 +6147,7 @@ index 0000000..089cf20 +selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cfengine_selinux.8 b/man/man8/cfengine_selinux.8 new file mode 100644 -index 0000000..216eb67 +index 0000000..2a9ebfe --- /dev/null +++ b/man/man8/cfengine_selinux.8 @@ -0,0 +1,131 @@ @@ -6239,7 +6239,7 @@ index 0000000..216eb67 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6284,7 +6284,7 @@ index 0000000..216eb67 +selinux(8), cfengine(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8 new file mode 100644 -index 0000000..2629bba +index 0000000..5d9b403 --- /dev/null +++ b/man/man8/cgclear_selinux.8 @@ -0,0 +1,77 @@ @@ -6322,7 +6322,7 @@ index 0000000..2629bba +/sbin/cgclear, /usr/sbin/cgclear + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6367,7 +6367,7 @@ index 0000000..2629bba +selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8 new file mode 100644 -index 0000000..b643891 +index 0000000..1b58511 --- /dev/null +++ b/man/man8/cgconfig_selinux.8 @@ -0,0 +1,111 @@ @@ -6439,7 +6439,7 @@ index 0000000..b643891 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6484,7 +6484,7 @@ index 0000000..b643891 +selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8 new file mode 100644 -index 0000000..cf5a223 +index 0000000..07be690 --- /dev/null +++ b/man/man8/cgred_selinux.8 @@ -0,0 +1,115 @@ @@ -6560,7 +6560,7 @@ index 0000000..cf5a223 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6605,7 +6605,7 @@ index 0000000..cf5a223 +selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8 new file mode 100644 -index 0000000..9bcb086 +index 0000000..32fd09a --- /dev/null +++ b/man/man8/checkpc_selinux.8 @@ -0,0 +1,81 @@ @@ -6647,7 +6647,7 @@ index 0000000..9bcb086 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6692,7 +6692,7 @@ index 0000000..9bcb086 +selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8 new file mode 100644 -index 0000000..1ca072a +index 0000000..ba66ff0 --- /dev/null +++ b/man/man8/checkpolicy_selinux.8 @@ -0,0 +1,73 @@ @@ -6726,7 +6726,7 @@ index 0000000..1ca072a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6771,7 +6771,7 @@ index 0000000..1ca072a +selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8 new file mode 100644 -index 0000000..808065f +index 0000000..e8621ca --- /dev/null +++ b/man/man8/chfn_selinux.8 @@ -0,0 +1,91 @@ @@ -6823,7 +6823,7 @@ index 0000000..808065f +/usr/bin/chfn, /usr/bin/chsh + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6868,7 +6868,7 @@ index 0000000..808065f +selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8 new file mode 100644 -index 0000000..2974237 +index 0000000..6d70e8c --- /dev/null +++ b/man/man8/chkpwd_selinux.8 @@ -0,0 +1,91 @@ @@ -6920,7 +6920,7 @@ index 0000000..2974237 +/sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /sbin/unix_verify, /usr/sbin/unix_chkpwd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6965,7 +6965,7 @@ index 0000000..2974237 +selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chrome_selinux.8 b/man/man8/chrome_selinux.8 new file mode 100644 -index 0000000..fec6ea8 +index 0000000..7fb8441 --- /dev/null +++ b/man/man8/chrome_selinux.8 @@ -0,0 +1,120 @@ @@ -6982,7 +6982,7 @@ index 0000000..fec6ea8 + + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. + +.EX +.B setsebool -P unconfined_chrome_sandbox_transition 1 @@ -7023,7 +7023,7 @@ index 0000000..fec6ea8 +.br +.TP 5 +Paths: -+/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap ++/usr/lib/chromium-browser/nacl_helper_bootstrap, /opt/google/chrome/nacl_helper_bootstrap + +.EX +.PP @@ -7042,7 +7042,7 @@ index 0000000..fec6ea8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7092,7 +7092,7 @@ index 0000000..fec6ea8 \ No newline at end of file diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8 new file mode 100644 -index 0000000..90b125c +index 0000000..1a4b417 --- /dev/null +++ b/man/man8/chronyd_selinux.8 @@ -0,0 +1,173 @@ @@ -7200,7 +7200,7 @@ index 0000000..90b125c +/var/run/chronyd(/.*), /var/run/chronyd\.sock, /var/run/chronyd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7271,7 +7271,7 @@ index 0000000..90b125c +selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8 new file mode 100644 -index 0000000..27d1a6b +index 0000000..c4fed0a --- /dev/null +++ b/man/man8/ciped_selinux.8 @@ -0,0 +1,73 @@ @@ -7305,7 +7305,7 @@ index 0000000..27d1a6b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7350,7 +7350,7 @@ index 0000000..27d1a6b +selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8 new file mode 100644 -index 0000000..e453e16 +index 0000000..ee012c5 --- /dev/null +++ b/man/man8/clamd_selinux.8 @@ -0,0 +1,214 @@ @@ -7367,21 +7367,21 @@ index 0000000..e453e16 + + +.PP -+If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean. ++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. + +.EX +.B setsebool -P clamscan_read_user_content 1 +.EE + +.PP -+If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. + +.EX +.B setsebool -P clamscan_can_scan_system 1 +.EE + +.PP -+If you want to allow clamd to use JIT compile, you must turn on the clamd_use_jit boolean. ++If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean. + +.EX +.B setsebool -P clamd_use_jit 1 @@ -7495,7 +7495,7 @@ index 0000000..e453e16 +/var/run/amavis(d)?/clamd\.pid, /var/run/clamd.*, /var/run/clamav.*, /var/spool/MailScanner(/.*)?, /var/spool/amavisd/clamd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7571,7 +7571,7 @@ index 0000000..e453e16 \ No newline at end of file diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8 new file mode 100644 -index 0000000..dd41fa2 +index 0000000..f7e5328 --- /dev/null +++ b/man/man8/clamscan_selinux.8 @@ -0,0 +1,107 @@ @@ -7588,14 +7588,14 @@ index 0000000..dd41fa2 + + +.PP -+If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean. ++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. + +.EX +.B setsebool -P clamscan_read_user_content 1 +.EE + +.PP -+If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. + +.EX +.B setsebool -P clamscan_can_scan_system 1 @@ -7635,7 +7635,7 @@ index 0000000..dd41fa2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7685,7 +7685,7 @@ index 0000000..dd41fa2 \ No newline at end of file diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8 new file mode 100644 -index 0000000..2ec309f +index 0000000..903b2bf --- /dev/null +++ b/man/man8/clogd_selinux.8 @@ -0,0 +1,89 @@ @@ -7735,7 +7735,7 @@ index 0000000..2ec309f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7780,7 +7780,7 @@ index 0000000..2ec309f +selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8 new file mode 100644 -index 0000000..980ca0c +index 0000000..b862840 --- /dev/null +++ b/man/man8/clvmd_selinux.8 @@ -0,0 +1,111 @@ @@ -7852,7 +7852,7 @@ index 0000000..980ca0c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7897,7 +7897,7 @@ index 0000000..980ca0c +selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8 new file mode 100644 -index 0000000..4d708d4 +index 0000000..5f46712 --- /dev/null +++ b/man/man8/cmirrord_selinux.8 @@ -0,0 +1,97 @@ @@ -7955,7 +7955,7 @@ index 0000000..4d708d4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8000,7 +8000,7 @@ index 0000000..4d708d4 +selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8 new file mode 100644 -index 0000000..0f5ed2b +index 0000000..97f4a43 --- /dev/null +++ b/man/man8/cobblerd_selinux.8 @@ -0,0 +1,177 @@ @@ -8108,7 +8108,7 @@ index 0000000..0f5ed2b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8184,7 +8184,7 @@ index 0000000..0f5ed2b \ No newline at end of file diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8 new file mode 100644 -index 0000000..7e335f5 +index 0000000..8c62b84 --- /dev/null +++ b/man/man8/collectd_selinux.8 @@ -0,0 +1,120 @@ @@ -8261,7 +8261,7 @@ index 0000000..7e335f5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8311,7 +8311,7 @@ index 0000000..7e335f5 \ No newline at end of file diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8 new file mode 100644 -index 0000000..96370fd +index 0000000..2030937 --- /dev/null +++ b/man/man8/colord_selinux.8 @@ -0,0 +1,127 @@ @@ -8399,7 +8399,7 @@ index 0000000..96370fd +/var/lib/color(/.*)?, /var/lib/colord(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8444,7 +8444,7 @@ index 0000000..96370fd +selinux(8), colord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8 new file mode 100644 -index 0000000..1ccb87c +index 0000000..97f145e --- /dev/null +++ b/man/man8/comsat_selinux.8 @@ -0,0 +1,129 @@ @@ -8508,7 +8508,7 @@ index 0000000..1ccb87c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8577,9 +8577,257 @@ index 0000000..1ccb87c + +.SH "SEE ALSO" +selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/condor_selinux.8 b/man/man8/condor_selinux.8 +new file mode 100644 +index 0000000..a186b3e +--- /dev/null ++++ b/man/man8/condor_selinux.8 +@@ -0,0 +1,242 @@ ++.TH "condor_selinux" "8" "condor" "dwalsh@redhat.com" "condor SELinux Policy documentation" ++.SH "NAME" ++condor_selinux \- Security Enhanced Linux Policy for the condor processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the condor processes via flexible mandatory access ++control. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor with the tightest access possible. ++ ++ ++.PP ++If you want to allow codnor domain to connect to the network using TCP, you must turn on the condor_domain_can_network_connect boolean. ++ ++.EX ++.B setsebool -P condor_domain_can_network_connect 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_master_t, condor_startd_ssh_t, condor_negotiator_t, condor_collector_t, condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_master_t, condor_startd_ssh_t, condor_negotiator_t, condor_collector_t, condor_schedd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux condor policy is very flexible allowing users to setup their condor processes in as secure a method as possible. ++.PP ++The following file types are defined for condor: ++ ++ ++.EX ++.PP ++.B condor_collector_exec_t ++.EE ++ ++- Set files with the condor_collector_exec_t type, if you want to transition an executable to the condor_collector_t domain. ++ ++ ++.EX ++.PP ++.B condor_log_t ++.EE ++ ++- Set files with the condor_log_t type, if you want to treat the data as condor log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B condor_master_exec_t ++.EE ++ ++- Set files with the condor_master_exec_t type, if you want to transition an executable to the condor_master_t domain. ++ ++ ++.EX ++.PP ++.B condor_negotiator_exec_t ++.EE ++ ++- Set files with the condor_negotiator_exec_t type, if you want to transition an executable to the condor_negotiator_t domain. ++ ++ ++.EX ++.PP ++.B condor_procd_exec_t ++.EE ++ ++- Set files with the condor_procd_exec_t type, if you want to transition an executable to the condor_procd_t domain. ++ ++ ++.EX ++.PP ++.B condor_schedd_exec_t ++.EE ++ ++- Set files with the condor_schedd_exec_t type, if you want to transition an executable to the condor_schedd_t domain. ++ ++ ++.EX ++.PP ++.B condor_schedd_tmp_t ++.EE ++ ++- Set files with the condor_schedd_tmp_t type, if you want to store condor schedd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B condor_startd_exec_t ++.EE ++ ++- Set files with the condor_startd_exec_t type, if you want to transition an executable to the condor_startd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/condor_starter, /usr/sbin/condor_startd ++ ++.EX ++.PP ++.B condor_startd_tmp_t ++.EE ++ ++- Set files with the condor_startd_tmp_t type, if you want to store condor startd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B condor_startd_tmpfs_t ++.EE ++ ++- Set files with the condor_startd_tmpfs_t type, if you want to store condor startd files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B condor_unit_file_t ++.EE ++ ++- Set files with the condor_unit_file_t type, if you want to treat the files as condor unit content. ++ ++ ++.EX ++.PP ++.B condor_var_lib_t ++.EE ++ ++- Set files with the condor_var_lib_t type, if you want to store the condor files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/condor(/.*)?, /var/lib/condor/execute(/.*)?, /var/lib/condor/spool(/.*)? ++ ++.EX ++.PP ++.B condor_var_lock_t ++.EE ++ ++- Set files with the condor_var_lock_t type, if you want to treat the files as condor var lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B condor_var_run_t ++.EE ++ ++- Set files with the condor_var_run_t type, if you want to store the condor files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux condor policy is very flexible allowing users to setup their condor processes in as secure a method as possible. ++.PP ++The following port types are defined for condor: ++ ++.EX ++.TP 5 ++.B condor_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9618 ++.EE ++udp 9618 ++.EE ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux condor policy is very flexible allowing users to setup their condor processes in as secure a method as possible. ++.PP ++The following process types are defined for condor: ++ ++.EX ++.B condor_collector_t, condor_startd_ssh_t, condor_procd_t, condor_negotiator_t, condor_schedd_t, condor_startd_t, condor_master_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage port ++can also be used to manipulate the port definitions ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), condor(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8 new file mode 100644 -index 0000000..bd653a4 +index 0000000..8efe64c --- /dev/null +++ b/man/man8/consolekit_selinux.8 @@ -0,0 +1,123 @@ @@ -8663,7 +8911,7 @@ index 0000000..bd653a4 +/var/run/console-kit-daemon\.pid, /var/run/ConsoleKit(/.*)?, /var/run/consolekit\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8708,7 +8956,7 @@ index 0000000..bd653a4 +selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8 new file mode 100644 -index 0000000..db62abe +index 0000000..9dc6c09 --- /dev/null +++ b/man/man8/consoletype_selinux.8 @@ -0,0 +1,77 @@ @@ -8746,7 +8994,7 @@ index 0000000..db62abe +/usr/sbin/consoletype, /sbin/consoletype + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8791,7 +9039,7 @@ index 0000000..db62abe +selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8 new file mode 100644 -index 0000000..c32c2ce +index 0000000..d3c5ce4 --- /dev/null +++ b/man/man8/corosync_selinux.8 @@ -0,0 +1,159 @@ @@ -8911,7 +9159,7 @@ index 0000000..c32c2ce +/var/run/rsctmp(/.*)?, /var/run/corosync\.pid, /var/run/cman_.*, /var/run/heartbeat(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8956,7 +9204,7 @@ index 0000000..c32c2ce +selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8 new file mode 100644 -index 0000000..9ced651 +index 0000000..fe8af46 --- /dev/null +++ b/man/man8/couchdb_selinux.8 @@ -0,0 +1,163 @@ @@ -9052,7 +9300,7 @@ index 0000000..9ced651 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9125,7 +9373,7 @@ index 0000000..9ced651 +selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/courier_selinux.8 b/man/man8/courier_selinux.8 new file mode 100644 -index 0000000..9f3c497 +index 0000000..89e7fe7 --- /dev/null +++ b/man/man8/courier_selinux.8 @@ -0,0 +1,183 @@ @@ -9269,7 +9517,7 @@ index 0000000..9f3c497 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9314,7 +9562,7 @@ index 0000000..9f3c497 +selinux(8), courier(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8 new file mode 100644 -index 0000000..b16af55 +index 0000000..9145f2b --- /dev/null +++ b/man/man8/cpucontrol_selinux.8 @@ -0,0 +1,85 @@ @@ -9360,7 +9608,7 @@ index 0000000..b16af55 +/sbin/microcode_ctl, /usr/sbin/microcode_ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9405,7 +9653,7 @@ index 0000000..b16af55 +selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8 new file mode 100644 -index 0000000..2f76dc7 +index 0000000..be066ae --- /dev/null +++ b/man/man8/cpufreqselector_selinux.8 @@ -0,0 +1,73 @@ @@ -9439,7 +9687,7 @@ index 0000000..2f76dc7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9484,7 +9732,7 @@ index 0000000..2f76dc7 +selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8 new file mode 100644 -index 0000000..91ed60d +index 0000000..3948ea7 --- /dev/null +++ b/man/man8/cpuspeed_selinux.8 @@ -0,0 +1,85 @@ @@ -9530,7 +9778,7 @@ index 0000000..91ed60d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9575,7 +9823,7 @@ index 0000000..91ed60d +selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8 new file mode 100644 -index 0000000..c17fa55 +index 0000000..02402d3 --- /dev/null +++ b/man/man8/crack_selinux.8 @@ -0,0 +1,97 @@ @@ -9633,7 +9881,7 @@ index 0000000..c17fa55 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9678,7 +9926,7 @@ index 0000000..c17fa55 +selinux(8), crack(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8 new file mode 100644 -index 0000000..dcd4b550 +index 0000000..64e8674 --- /dev/null +++ b/man/man8/crond_selinux.8 @@ -0,0 +1,153 @@ @@ -9788,7 +10036,7 @@ index 0000000..dcd4b550 +/var/run/crond?\.pid, /var/run/.*cron.*, /var/run/fcron\.pid, /var/run/crond?\.reboot, /var/run/fcron\.fifo, /var/run/atd\.pid, /var/run/anacron\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9838,7 +10086,7 @@ index 0000000..dcd4b550 \ No newline at end of file diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8 new file mode 100644 -index 0000000..f33b2b3 +index 0000000..43963c6 --- /dev/null +++ b/man/man8/crontab_selinux.8 @@ -0,0 +1,99 @@ @@ -9898,7 +10146,7 @@ index 0000000..f33b2b3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9943,7 +10191,7 @@ index 0000000..f33b2b3 +selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8 new file mode 100644 -index 0000000..569b571 +index 0000000..d02c37a --- /dev/null +++ b/man/man8/ctdbd_selinux.8 @@ -0,0 +1,153 @@ @@ -10029,7 +10277,7 @@ index 0000000..569b571 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10102,7 +10350,7 @@ index 0000000..569b571 +selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cups_selinux.8 b/man/man8/cups_selinux.8 new file mode 100644 -index 0000000..7d0d815 +index 0000000..3534e79 --- /dev/null +++ b/man/man8/cups_selinux.8 @@ -0,0 +1,235 @@ @@ -10167,7 +10415,7 @@ index 0000000..7d0d815 +.br +.TP 5 +Paths: -+/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon ++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer + +.EX +.PP @@ -10231,7 +10479,7 @@ index 0000000..7d0d815 +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log ++/usr/local/Brother/fax/.*\.log.*, /var/log/cups(/.*)?, /var/log/turboprint.* + +.EX +.PP @@ -10298,7 +10546,7 @@ index 0000000..7d0d815 +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10343,7 +10591,7 @@ index 0000000..7d0d815 +selinux(8), cups(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8 new file mode 100644 -index 0000000..c5695a9 +index 0000000..5df9c63 --- /dev/null +++ b/man/man8/cupsd_selinux.8 @@ -0,0 +1,219 @@ @@ -10392,7 +10640,7 @@ index 0000000..c5695a9 +.br +.TP 5 +Paths: -+/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon ++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer + +.EX +.PP @@ -10456,7 +10704,7 @@ index 0000000..c5695a9 +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log ++/usr/local/Brother/fax/.*\.log.*, /var/log/cups(/.*)?, /var/log/turboprint.* + +.EX +.PP @@ -10523,7 +10771,7 @@ index 0000000..c5695a9 +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10568,7 +10816,7 @@ index 0000000..c5695a9 +selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8 new file mode 100644 -index 0000000..f98abb8 +index 0000000..bbec072 --- /dev/null +++ b/man/man8/cvs_selinux.8 @@ -0,0 +1,174 @@ @@ -10585,7 +10833,7 @@ index 0000000..f98abb8 + + +.PP -+If you want to allow cvs daemon to read shado, you must turn on the cvs_read_shadow boolean. ++If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean. + +.EX +.B setsebool -P cvs_read_shadow 1 @@ -10671,7 +10919,7 @@ index 0000000..f98abb8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10749,7 +10997,7 @@ index 0000000..f98abb8 \ No newline at end of file diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8 new file mode 100644 -index 0000000..d1d00eb +index 0000000..920e97f --- /dev/null +++ b/man/man8/cyphesis_selinux.8 @@ -0,0 +1,125 @@ @@ -10807,7 +11055,7 @@ index 0000000..d1d00eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10880,7 +11128,7 @@ index 0000000..d1d00eb +selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8 new file mode 100644 -index 0000000..952bce0 +index 0000000..d8334d2 --- /dev/null +++ b/man/man8/cyrus_selinux.8 @@ -0,0 +1,135 @@ @@ -10976,7 +11224,7 @@ index 0000000..952bce0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11092,7 +11340,7 @@ index 0000000..4bbec80 +selinux(8), semanage(8). diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8 new file mode 100644 -index 0000000..c242885 +index 0000000..e7106ae --- /dev/null +++ b/man/man8/dbskkd_selinux.8 @@ -0,0 +1,129 @@ @@ -11156,7 +11404,7 @@ index 0000000..c242885 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11227,7 +11475,7 @@ index 0000000..c242885 +selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcc_selinux.8 b/man/man8/dcc_selinux.8 new file mode 100644 -index 0000000..70d5d78 +index 0000000..eaba130 --- /dev/null +++ b/man/man8/dcc_selinux.8 @@ -0,0 +1,258 @@ @@ -11407,7 +11655,7 @@ index 0000000..70d5d78 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11491,7 +11739,7 @@ index 0000000..70d5d78 +selinux(8), dcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8 new file mode 100644 -index 0000000..04f1603 +index 0000000..37ca629 --- /dev/null +++ b/man/man8/dccd_selinux.8 @@ -0,0 +1,142 @@ @@ -11555,7 +11803,7 @@ index 0000000..04f1603 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11639,7 +11887,7 @@ index 0000000..04f1603 +selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8 new file mode 100644 -index 0000000..833573b +index 0000000..d1647bd --- /dev/null +++ b/man/man8/dccifd_selinux.8 @@ -0,0 +1,107 @@ @@ -11707,7 +11955,7 @@ index 0000000..833573b +/etc/dcc/dccifd, /var/run/dcc/dccifd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11752,7 +12000,7 @@ index 0000000..833573b +selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8 new file mode 100644 -index 0000000..a6c45e9 +index 0000000..f930d66 --- /dev/null +++ b/man/man8/dccm_selinux.8 @@ -0,0 +1,131 @@ @@ -11816,7 +12064,7 @@ index 0000000..a6c45e9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11889,7 +12137,7 @@ index 0000000..a6c45e9 +selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8 new file mode 100644 -index 0000000..6cbed0f +index 0000000..10ac2d2 --- /dev/null +++ b/man/man8/dcerpcd_selinux.8 @@ -0,0 +1,97 @@ @@ -11947,7 +12195,7 @@ index 0000000..6cbed0f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11992,7 +12240,7 @@ index 0000000..6cbed0f +selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8 new file mode 100644 -index 0000000..7682599 +index 0000000..15e7310 --- /dev/null +++ b/man/man8/ddclient_selinux.8 @@ -0,0 +1,141 @@ @@ -12094,7 +12342,7 @@ index 0000000..7682599 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12139,7 +12387,7 @@ index 0000000..7682599 +selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8 new file mode 100644 -index 0000000..8a55ce3 +index 0000000..1abae65 --- /dev/null +++ b/man/man8/deltacloudd_selinux.8 @@ -0,0 +1,111 @@ @@ -12211,7 +12459,7 @@ index 0000000..8a55ce3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12256,7 +12504,7 @@ index 0000000..8a55ce3 +selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8 new file mode 100644 -index 0000000..35b4039 +index 0000000..1ab2fa0 --- /dev/null +++ b/man/man8/denyhosts_selinux.8 @@ -0,0 +1,119 @@ @@ -12336,7 +12584,7 @@ index 0000000..35b4039 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12381,7 +12629,7 @@ index 0000000..35b4039 +selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8 new file mode 100644 -index 0000000..49b8acb +index 0000000..0db30f2 --- /dev/null +++ b/man/man8/depmod_selinux.8 @@ -0,0 +1,77 @@ @@ -12419,7 +12667,7 @@ index 0000000..49b8acb +/sbin/depmod.*, /usr/sbin/depmod.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12464,7 +12712,7 @@ index 0000000..49b8acb +selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8 new file mode 100644 -index 0000000..f60f7aa +index 0000000..8f4dbf7 --- /dev/null +++ b/man/man8/devicekit_selinux.8 @@ -0,0 +1,155 @@ @@ -12565,7 +12813,7 @@ index 0000000..f60f7aa +.br +.TP 5 +Paths: -+/var/log/pm-suspend\.log, /var/log/pm-powersave\.log ++/var/log/pm-suspend\.log.*, /var/log/pm-powersave\.log.* + +.EX +.PP @@ -12580,7 +12828,7 @@ index 0000000..f60f7aa +/var/run/upower(/.*)?, /var/run/udisks.*, /var/run/devkit(/.*)?, /var/run/DeviceKit-disks(/.*)?, /var/run/pm-utils(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12625,7 +12873,7 @@ index 0000000..f60f7aa +selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8 new file mode 100644 -index 0000000..06082f5 +index 0000000..7638a9c --- /dev/null +++ b/man/man8/dhcpc_selinux.8 @@ -0,0 +1,174 @@ @@ -12642,7 +12890,7 @@ index 0000000..06082f5 + + +.PP -+If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. + +.EX +.B setsebool -P dhcpc_exec_iptables 1 @@ -12728,7 +12976,7 @@ index 0000000..06082f5 +/var/run/dhclient.*, /var/run/dhcpcd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12806,7 +13054,7 @@ index 0000000..06082f5 \ No newline at end of file diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8 new file mode 100644 -index 0000000..073af6e +index 0000000..371086a --- /dev/null +++ b/man/man8/dhcpd_selinux.8 @@ -0,0 +1,194 @@ @@ -12823,14 +13071,14 @@ index 0000000..073af6e + + +.PP -+If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. + +.EX +.B setsebool -P dhcpc_exec_iptables 1 +.EE + +.PP -+If you want to allow DHCP daemon to use LDAP backend, you must turn on the dhcpd_use_ldap boolean. ++If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean. + +.EX +.B setsebool -P dhcpd_use_ldap 1 @@ -12916,7 +13164,7 @@ index 0000000..073af6e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13007,7 +13255,7 @@ index 0000000..073af6e \ No newline at end of file diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8 new file mode 100644 -index 0000000..cfa1980 +index 0000000..428bd7b --- /dev/null +++ b/man/man8/dictd_selinux.8 @@ -0,0 +1,145 @@ @@ -13087,7 +13335,7 @@ index 0000000..cfa1980 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13158,7 +13406,7 @@ index 0000000..cfa1980 +selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8 new file mode 100644 -index 0000000..1c30463 +index 0000000..8264151 --- /dev/null +++ b/man/man8/dirsrv_selinux.8 @@ -0,0 +1,227 @@ @@ -13346,7 +13594,7 @@ index 0000000..1c30463 +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13391,7 +13639,7 @@ index 0000000..1c30463 +selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8 new file mode 100644 -index 0000000..1566389 +index 0000000..8f4b784 --- /dev/null +++ b/man/man8/dirsrvadmin_selinux.8 @@ -0,0 +1,117 @@ @@ -13469,7 +13717,7 @@ index 0000000..1566389 +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13514,7 +13762,7 @@ index 0000000..1566389 +selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/disk_selinux.8 b/man/man8/disk_selinux.8 new file mode 100644 -index 0000000..ebf8c64 +index 0000000..fd60eaf --- /dev/null +++ b/man/man8/disk_selinux.8 @@ -0,0 +1,85 @@ @@ -13560,7 +13808,7 @@ index 0000000..ebf8c64 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13605,7 +13853,7 @@ index 0000000..ebf8c64 +selinux(8), disk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dkim_selinux.8 b/man/man8/dkim_selinux.8 new file mode 100644 -index 0000000..6927ca6 +index 0000000..24d191c --- /dev/null +++ b/man/man8/dkim_selinux.8 @@ -0,0 +1,107 @@ @@ -13673,7 +13921,7 @@ index 0000000..6927ca6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13718,7 +13966,7 @@ index 0000000..6927ca6 +selinux(8), dkim(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dlm_selinux.8 b/man/man8/dlm_selinux.8 new file mode 100644 -index 0000000..a848021 +index 0000000..8937eb5 --- /dev/null +++ b/man/man8/dlm_selinux.8 @@ -0,0 +1,97 @@ @@ -13776,7 +14024,7 @@ index 0000000..a848021 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13821,7 +14069,7 @@ index 0000000..a848021 +selinux(8), dlm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8 new file mode 100644 -index 0000000..34ef559 +index 0000000..dfc5418 --- /dev/null +++ b/man/man8/dmesg_selinux.8 @@ -0,0 +1,92 @@ @@ -13870,7 +14118,7 @@ index 0000000..34ef559 +/usr/bin/dmesg, /bin/dmesg + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13920,7 +14168,7 @@ index 0000000..34ef559 \ No newline at end of file diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8 new file mode 100644 -index 0000000..b39aa66 +index 0000000..b3c9617 --- /dev/null +++ b/man/man8/dmidecode_selinux.8 @@ -0,0 +1,77 @@ @@ -13958,7 +14206,7 @@ index 0000000..b39aa66 +/usr/sbin/dmidecode, /usr/sbin/vpddecode, /usr/sbin/ownership + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14003,7 +14251,7 @@ index 0000000..b39aa66 +selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8 new file mode 100644 -index 0000000..5c245ca +index 0000000..2326218 --- /dev/null +++ b/man/man8/dnsmasq_selinux.8 @@ -0,0 +1,143 @@ @@ -14107,7 +14355,7 @@ index 0000000..5c245ca +/var/run/dnsmasq\.pid, /var/run/libvirt/network(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14152,7 +14400,7 @@ index 0000000..5c245ca +selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnssec_selinux.8 b/man/man8/dnssec_selinux.8 new file mode 100644 -index 0000000..2e5ce91 +index 0000000..6289e0e --- /dev/null +++ b/man/man8/dnssec_selinux.8 @@ -0,0 +1,119 @@ @@ -14206,7 +14454,7 @@ index 0000000..2e5ce91 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14277,7 +14525,7 @@ index 0000000..2e5ce91 +selinux(8), dnssec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8 new file mode 100644 -index 0000000..17a5b07 +index 0000000..dd2065a --- /dev/null +++ b/man/man8/dovecot_selinux.8 @@ -0,0 +1,223 @@ @@ -14461,7 +14709,7 @@ index 0000000..17a5b07 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14506,7 +14754,7 @@ index 0000000..17a5b07 +selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8 new file mode 100644 -index 0000000..c0f3851 +index 0000000..d38f112 --- /dev/null +++ b/man/man8/drbd_selinux.8 @@ -0,0 +1,93 @@ @@ -14560,7 +14808,7 @@ index 0000000..c0f3851 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14605,7 +14853,7 @@ index 0000000..c0f3851 +selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8 new file mode 100644 -index 0000000..0d25038 +index 0000000..981857d --- /dev/null +++ b/man/man8/dspam_selinux.8 @@ -0,0 +1,127 @@ @@ -14693,7 +14941,7 @@ index 0000000..0d25038 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14738,7 +14986,7 @@ index 0000000..0d25038 +selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8 new file mode 100644 -index 0000000..5be048a +index 0000000..0ce9c6d --- /dev/null +++ b/man/man8/entropyd_selinux.8 @@ -0,0 +1,118 @@ @@ -14755,7 +15003,7 @@ index 0000000..5be048a + + +.PP -+If you want to allow the use of the audio devices as the source for the entropy feed, you must turn on the entropyd_use_audio boolean. ++If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean. + +.EX +.B setsebool -P entropyd_use_audio 1 @@ -14813,7 +15061,7 @@ index 0000000..5be048a +/var/run/audio-entropyd\.pid, /var/run/haveged\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14863,7 +15111,7 @@ index 0000000..5be048a \ No newline at end of file diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8 new file mode 100644 -index 0000000..781e7e8 +index 0000000..77d6098 --- /dev/null +++ b/man/man8/eventlogd_selinux.8 @@ -0,0 +1,97 @@ @@ -14921,7 +15169,7 @@ index 0000000..781e7e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14966,7 +15214,7 @@ index 0000000..781e7e8 +selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8 new file mode 100644 -index 0000000..e804c60 +index 0000000..28b3a31 --- /dev/null +++ b/man/man8/evtchnd_selinux.8 @@ -0,0 +1,93 @@ @@ -15020,7 +15268,7 @@ index 0000000..e804c60 +/var/run/evtchnd, /var/run/evtchnd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15065,7 +15313,7 @@ index 0000000..e804c60 +selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8 new file mode 100644 -index 0000000..c27392c +index 0000000..4d6add4 --- /dev/null +++ b/man/man8/exim_selinux.8 @@ -0,0 +1,168 @@ @@ -15089,7 +15337,7 @@ index 0000000..c27392c +.EE + +.PP -+If you want to allow exim to connect to databases (postgres, mysql, you must turn on the exim_can_connect_db boolean. ++If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean. + +.EX +.B setsebool -P exim_can_connect_db 1 @@ -15190,7 +15438,7 @@ index 0000000..c27392c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15240,7 +15488,7 @@ index 0000000..c27392c \ No newline at end of file diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8 new file mode 100644 -index 0000000..d44f080 +index 0000000..c627231 --- /dev/null +++ b/man/man8/fail2ban_selinux.8 @@ -0,0 +1,139 @@ @@ -15340,7 +15588,7 @@ index 0000000..d44f080 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15385,7 +15633,7 @@ index 0000000..d44f080 +selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8 new file mode 100644 -index 0000000..f3611a7 +index 0000000..2fa85bd --- /dev/null +++ b/man/man8/fcoemon_selinux.8 @@ -0,0 +1,85 @@ @@ -15431,7 +15679,7 @@ index 0000000..f3611a7 +/var/run/fcm(/.*)?, /var/run/fcoemon\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15476,7 +15724,7 @@ index 0000000..f3611a7 +selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8 new file mode 100644 -index 0000000..c0f5224 +index 0000000..91c14a1 --- /dev/null +++ b/man/man8/fenced_selinux.8 @@ -0,0 +1,157 @@ @@ -15590,7 +15838,7 @@ index 0000000..c0f5224 +/var/run/cluster/fenced_override, /var/run/cluster/fence_scsi.*, /var/run/fenced\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15640,7 +15888,7 @@ index 0000000..c0f5224 \ No newline at end of file diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8 new file mode 100644 -index 0000000..8ede23f +index 0000000..c5b118c --- /dev/null +++ b/man/man8/fetchmail_selinux.8 @@ -0,0 +1,109 @@ @@ -15710,7 +15958,7 @@ index 0000000..8ede23f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15755,7 +16003,7 @@ index 0000000..8ede23f +selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8 new file mode 100644 -index 0000000..ad1ac54 +index 0000000..a2d9656 --- /dev/null +++ b/man/man8/fingerd_selinux.8 @@ -0,0 +1,141 @@ @@ -15831,7 +16079,7 @@ index 0000000..ad1ac54 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15902,7 +16150,7 @@ index 0000000..ad1ac54 +selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8 new file mode 100644 -index 0000000..7171c2f +index 0000000..e15374d --- /dev/null +++ b/man/man8/firewalld_selinux.8 @@ -0,0 +1,131 @@ @@ -15994,7 +16242,7 @@ index 0000000..7171c2f +/var/run/firewalld\.pid, /var/run/firewalld(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16039,7 +16287,7 @@ index 0000000..7171c2f +selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8 new file mode 100644 -index 0000000..26dd213 +index 0000000..38b6b12 --- /dev/null +++ b/man/man8/firewallgui_selinux.8 @@ -0,0 +1,95 @@ @@ -16095,7 +16343,7 @@ index 0000000..26dd213 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16140,7 +16388,7 @@ index 0000000..26dd213 +selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8 new file mode 100644 -index 0000000..b6706ee +index 0000000..264d99f --- /dev/null +++ b/man/man8/firstboot_selinux.8 @@ -0,0 +1,85 @@ @@ -16186,7 +16434,7 @@ index 0000000..b6706ee +/usr/share/firstboot/firstboot\.py, /usr/sbin/firstboot + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16231,7 +16479,7 @@ index 0000000..b6706ee +selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8 new file mode 100644 -index 0000000..a9d286f +index 0000000..8b3fea3 --- /dev/null +++ b/man/man8/foghorn_selinux.8 @@ -0,0 +1,97 @@ @@ -16289,7 +16537,7 @@ index 0000000..a9d286f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16334,7 +16582,7 @@ index 0000000..a9d286f +selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8 new file mode 100644 -index 0000000..8195c2b +index 0000000..182329d --- /dev/null +++ b/man/man8/fprintd_selinux.8 @@ -0,0 +1,95 @@ @@ -16390,7 +16638,7 @@ index 0000000..8195c2b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16435,7 +16683,7 @@ index 0000000..8195c2b +selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8 new file mode 100644 -index 0000000..b282ccc +index 0000000..53bd4b3 --- /dev/null +++ b/man/man8/freshclam_selinux.8 @@ -0,0 +1,99 @@ @@ -16495,7 +16743,7 @@ index 0000000..b282ccc +/var/log/clamav/freshclam.*, /var/log/freshclam.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16540,7 +16788,7 @@ index 0000000..b282ccc +selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8 new file mode 100644 -index 0000000..1b3d83f +index 0000000..52c7f19 --- /dev/null +++ b/man/man8/fsadm_selinux.8 @@ -0,0 +1,93 @@ @@ -16594,7 +16842,7 @@ index 0000000..1b3d83f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16639,7 +16887,7 @@ index 0000000..1b3d83f +selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8 new file mode 100644 -index 0000000..c1d45a3 +index 0000000..ba27b25 --- /dev/null +++ b/man/man8/fsdaemon_selinux.8 @@ -0,0 +1,97 @@ @@ -16697,7 +16945,7 @@ index 0000000..c1d45a3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16741,7 +16989,7 @@ index 0000000..c1d45a3 +.SH "SEE ALSO" +selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 -index 5bebd82..3fad4c1 100644 +index 5bebd82..fd2036b 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 @@ -1,65 +1,346 @@ @@ -16763,7 +17011,7 @@ index 5bebd82..3fad4c1 100644 .PP -Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control. -.SH FILE_CONTEXTS -+If you want to allow ftp to read and write files in the user home directorie, you must turn on the ftp_home_dir boolean. ++If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean. + +.EX +.B setsebool -P ftp_home_dir 1 @@ -16799,7 +17047,7 @@ index 5bebd82..3fad4c1 100644 -.TP -.B -restorecon -F -R -v /var/ftp/incoming -+If you want to allow ftp servers to connect to mysql database port, you must turn on the ftpd_connect_db boolean. ++If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean. + +.EX +.B setsebool -P ftpd_connect_db 1 @@ -16821,7 +17069,7 @@ index 5bebd82..3fad4c1 100644 -setsebool -P allow_ftpd_anon_write on -.TP -Allow ftp servers to read or write files in the user home directories. -+If you want to allow sftp-internal to read and write files in the user home directorie, you must turn on the sftpd_enable_homedirs boolean. ++If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean. + +.EX +.B setsebool -P sftpd_enable_homedirs 1 @@ -16832,7 +17080,7 @@ index 5bebd82..3fad4c1 100644 -setsebool -P ftp_home_dir on -.TP -Allow ftp servers to read or write all files on the system. -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean. ++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. + +.EX +.B setsebool -P httpd_can_connect_ftp 1 @@ -16841,7 +17089,7 @@ index 5bebd82..3fad4c1 100644 .PP -.B -setsebool -P allow_ftpd_full_access on -+If you want to allow ftp servers to use bind to all unreserved ports for passive mod, you must turn on the ftpd_use_passive_mode boolean. ++If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean. + +.EX +.B setsebool -P ftpd_use_passive_mode 1 @@ -16862,7 +17110,7 @@ index 5bebd82..3fad4c1 100644 +.EE + +.PP -+If you want to allow ftp servers to connect to all ports > 102, you must turn on the ftpd_connect_all_unreserved boolean. ++If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean. + +.EX +.B setsebool -P ftpd_connect_all_unreserved 1 @@ -17048,7 +17296,7 @@ index 5bebd82..3fad4c1 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17138,7 +17386,7 @@ index 5bebd82..3fad4c1 100644 \ No newline at end of file diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8 new file mode 100644 -index 0000000..205df84 +index 0000000..de1008c --- /dev/null +++ b/man/man8/ftpdctl_selinux.8 @@ -0,0 +1,81 @@ @@ -17180,7 +17428,7 @@ index 0000000..205df84 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17225,7 +17473,7 @@ index 0000000..205df84 +selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8 new file mode 100644 -index 0000000..b8b7acb +index 0000000..30f96ce --- /dev/null +++ b/man/man8/games_selinux.8 @@ -0,0 +1,113 @@ @@ -17299,7 +17547,7 @@ index 0000000..b8b7acb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17344,7 +17592,7 @@ index 0000000..b8b7acb +selinux(8), games(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8 new file mode 100644 -index 0000000..60a90d3 +index 0000000..7162430 --- /dev/null +++ b/man/man8/gconfd_selinux.8 @@ -0,0 +1,81 @@ @@ -17386,7 +17634,7 @@ index 0000000..60a90d3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17431,7 +17679,7 @@ index 0000000..60a90d3 +selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8 new file mode 100644 -index 0000000..57f2bed +index 0000000..64fecad --- /dev/null +++ b/man/man8/gconfdefaultsm_selinux.8 @@ -0,0 +1,73 @@ @@ -17465,7 +17713,7 @@ index 0000000..57f2bed + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17510,7 +17758,7 @@ index 0000000..57f2bed +selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8 new file mode 100644 -index 0000000..830dccf +index 0000000..26e8219 --- /dev/null +++ b/man/man8/getty_selinux.8 @@ -0,0 +1,139 @@ @@ -17610,7 +17858,7 @@ index 0000000..830dccf +/var/spool/voice(/.*)?, /var/spool/fax(/.*)?, /var/run/mgetty\.pid.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17655,7 +17903,7 @@ index 0000000..830dccf +selinux(8), getty(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gfs_selinux.8 b/man/man8/gfs_selinux.8 new file mode 100644 -index 0000000..fe8cb5a +index 0000000..5987bae --- /dev/null +++ b/man/man8/gfs_selinux.8 @@ -0,0 +1,97 @@ @@ -17713,7 +17961,7 @@ index 0000000..fe8cb5a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17947,7 +18195,7 @@ index 0000000..6031c31 +selinux(8), semanage(8). diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8 new file mode 100644 -index 0000000..7bad946 +index 0000000..f5ebde4 --- /dev/null +++ b/man/man8/gitosis_selinux.8 @@ -0,0 +1,104 @@ @@ -17964,7 +18212,7 @@ index 0000000..7bad946 + + +.PP -+If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. + +.EX +.B setsebool -P gitosis_can_sendmail 1 @@ -18008,7 +18256,7 @@ index 0000000..7bad946 +/var/lib/gitolite(/.*)?, /var/lib/gitosis(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18058,7 +18306,7 @@ index 0000000..7bad946 \ No newline at end of file diff --git a/man/man8/glance_selinux.8 b/man/man8/glance_selinux.8 new file mode 100644 -index 0000000..b34e8f0 +index 0000000..284b994 --- /dev/null +++ b/man/man8/glance_selinux.8 @@ -0,0 +1,178 @@ @@ -18156,7 +18404,7 @@ index 0000000..b34e8f0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18240,31 +18488,31 @@ index 0000000..b34e8f0 + +.SH "SEE ALSO" +selinux(8), glance(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8 +diff --git a/man/man8/glusterd_selinux.8 b/man/man8/glusterd_selinux.8 new file mode 100644 -index 0000000..03f43f2 +index 0000000..1255b93 --- /dev/null -+++ b/man/man8/gnomeclock_selinux.8 -@@ -0,0 +1,91 @@ -+.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh@redhat.com" "gnomeclock SELinux Policy documentation" ++++ b/man/man8/glusterd_selinux.8 +@@ -0,0 +1,151 @@ ++.TH "glusterd_selinux" "8" "glusterd" "dwalsh@redhat.com" "glusterd SELinux Policy documentation" +.SH "NAME" -+gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes ++glusterd_selinux \- Security Enhanced Linux Policy for the glusterd processes +.SH "DESCRIPTION" + -+Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access ++Security-Enhanced Linux secures the glusterd processes via flexible mandatory access +control. + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean. ++If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean. + +.EX +setsebool -P kerberos_enabled 1 @@ -18276,25 +18524,85 @@ index 0000000..03f43f2 +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. ++SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible. +.PP -+The following file types are defined for gnomeclock: ++The following file types are defined for glusterd: + + +.EX +.PP -+.B gnomeclock_exec_t ++.B glusterd_etc_t +.EE + -+- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain. ++- Set files with the glusterd_etc_t type, if you want to store glusterd files in the /etc directories. + +.br +.TP 5 +Paths: -+/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism ++/etc/glusterfs(/.*)?, /etc/glusterd(/.*)? ++ ++.EX ++.PP ++.B glusterd_exec_t ++.EE ++ ++- Set files with the glusterd_exec_t type, if you want to transition an executable to the glusterd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd ++ ++.EX ++.PP ++.B glusterd_initrc_exec_t ++.EE ++ ++- Set files with the glusterd_initrc_exec_t type, if you want to transition an executable to the glusterd_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/glusterd, /etc/rc\.d/init\.d/glusterd ++ ++.EX ++.PP ++.B glusterd_log_t ++.EE ++ ++- Set files with the glusterd_log_t type, if you want to treat the data as glusterd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B glusterd_tmp_t ++.EE ++ ++- Set files with the glusterd_tmp_t type, if you want to store glusterd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B glusterd_var_lib_t ++.EE ++ ++- Set files with the glusterd_var_lib_t type, if you want to store the glusterd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B glusterd_var_run_t ++.EE ++ ++- Set files with the glusterd_var_run_t type, if you want to store the glusterd files under the /run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/glusterd\.pid, /var/run/glusterd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18306,12 +18614,109 @@ index 0000000..03f43f2 +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. ++SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible. +.PP -+The following process types are defined for gnomeclock: ++The following process types are defined for glusterd: + +.EX -+.B gnomeclock_t ++.B glusterd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8 +new file mode 100644 +index 0000000..57d1458 +--- /dev/null ++++ b/man/man8/gnomeclock_selinux.8 +@@ -0,0 +1,91 @@ ++.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh@redhat.com" "gnomeclock SELinux Policy documentation" ++.SH "NAME" ++gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. ++.PP ++The following file types are defined for gnomeclock: ++ ++ ++.EX ++.PP ++.B gnomeclock_exec_t ++.EE ++ ++- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. ++.PP ++The following process types are defined for gnomeclock: ++ ++.EX ++.B gnomeclock_t +.EE +.PP +Note: @@ -18339,7 +18744,7 @@ index 0000000..03f43f2 +selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8 new file mode 100644 -index 0000000..d4a95e3 +index 0000000..ef13ae9 --- /dev/null +++ b/man/man8/gnomesystemmm_selinux.8 @@ -0,0 +1,77 @@ @@ -18377,7 +18782,7 @@ index 0000000..d4a95e3 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18422,7 +18827,7 @@ index 0000000..d4a95e3 +selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8 new file mode 100644 -index 0000000..b15e6a9 +index 0000000..0baaa29 --- /dev/null +++ b/man/man8/gpg_selinux.8 @@ -0,0 +1,187 @@ @@ -18446,7 +18851,7 @@ index 0000000..b15e6a9 +.EE + +.PP -+If you want to allow httpd to run gp, you must turn on the httpd_use_gpg boolean. ++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. + +.EX +.B setsebool -P httpd_use_gpg 1 @@ -18566,7 +18971,7 @@ index 0000000..b15e6a9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18616,7 +19021,7 @@ index 0000000..b15e6a9 \ No newline at end of file diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8 new file mode 100644 -index 0000000..2aec05b +index 0000000..a399e8a --- /dev/null +++ b/man/man8/gpm_selinux.8 @@ -0,0 +1,109 @@ @@ -18686,7 +19091,7 @@ index 0000000..2aec05b +/dev/gpmctl, /dev/gpmdata + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18731,7 +19136,7 @@ index 0000000..2aec05b +selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8 new file mode 100644 -index 0000000..766d1fa +index 0000000..b1feb7f --- /dev/null +++ b/man/man8/gpsd_selinux.8 @@ -0,0 +1,141 @@ @@ -18807,7 +19212,7 @@ index 0000000..766d1fa +/var/run/gpsd\.sock, /var/run/gpsd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18878,7 +19283,7 @@ index 0000000..766d1fa +selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/greylist_selinux.8 b/man/man8/greylist_selinux.8 new file mode 100644 -index 0000000..0401fa8 +index 0000000..420c772 --- /dev/null +++ b/man/man8/greylist_selinux.8 @@ -0,0 +1,99 @@ @@ -18938,7 +19343,7 @@ index 0000000..0401fa8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18983,7 +19388,7 @@ index 0000000..0401fa8 +selinux(8), greylist(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8 new file mode 100644 -index 0000000..ca51fb6 +index 0000000..05104f2 --- /dev/null +++ b/man/man8/groupadd_selinux.8 @@ -0,0 +1,91 @@ @@ -19035,7 +19440,7 @@ index 0000000..ca51fb6 +/usr/sbin/gpasswd, /usr/bin/gpasswd, /usr/sbin/groupdel, /usr/sbin/groupadd, /usr/sbin/groupmod + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19080,7 +19485,7 @@ index 0000000..ca51fb6 +selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8 new file mode 100644 -index 0000000..6c0c46a +index 0000000..e934b66 --- /dev/null +++ b/man/man8/groupd_selinux.8 @@ -0,0 +1,111 @@ @@ -19152,7 +19557,7 @@ index 0000000..6c0c46a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19197,7 +19602,7 @@ index 0000000..6c0c46a +selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8 new file mode 100644 -index 0000000..1188efb +index 0000000..559dae1 --- /dev/null +++ b/man/man8/gssd_selinux.8 @@ -0,0 +1,122 @@ @@ -19276,7 +19681,7 @@ index 0000000..1188efb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19520,7 +19925,7 @@ index 0000000..faeeaf7 +selinux(8), semanage(8). diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8 new file mode 100644 -index 0000000..feb44f3 +index 0000000..9f14966 --- /dev/null +++ b/man/man8/hddtemp_selinux.8 @@ -0,0 +1,115 @@ @@ -19570,7 +19975,7 @@ index 0000000..feb44f3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19641,7 +20046,7 @@ index 0000000..feb44f3 +selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8 new file mode 100644 -index 0000000..2aa7e5a +index 0000000..6701415 --- /dev/null +++ b/man/man8/hostname_selinux.8 @@ -0,0 +1,77 @@ @@ -19679,7 +20084,7 @@ index 0000000..2aa7e5a +/bin/hostname, /usr/bin/hostname + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19724,7 +20129,7 @@ index 0000000..2aa7e5a +selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8 new file mode 100644 -index 0000000..2f01849 +index 0000000..fd1af3c --- /dev/null +++ b/man/man8/hplip_selinux.8 @@ -0,0 +1,139 @@ @@ -19798,7 +20203,7 @@ index 0000000..2f01849 +/var/run/hp.*\.pid, /var/run/hp.*\.port + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19868,10 +20273,10 @@ index 0000000..2f01849 +.SH "SEE ALSO" +selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -index 16e8b13..4a9dd69 100644 +index 16e8b13..0f70c71 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 -@@ -1,120 +1,1581 @@ +@@ -1,120 +1,1613 @@ -.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" -.de EX -.nf @@ -19902,14 +20307,14 @@ index 16e8b13..4a9dd69 100644 + + +.PP -+If you want to allow httpd to act as a rela, you must turn on the httpd_can_network_relay boolean. ++If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean. + +.EX +.B setsebool -P httpd_can_network_relay 1 +.EE + +.PP -+If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. + +.EX +.B setsebool -P httpd_use_oddjob 1 @@ -19923,49 +20328,49 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow httpd to run gp, you must turn on the httpd_use_gpg boolean. ++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. + +.EX +.B setsebool -P httpd_use_gpg 1 +.EE + +.PP -+If you want to allow httpd cgi suppor, you must turn on the httpd_enable_cgi boolean. ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. + +.EX +.B setsebool -P httpd_enable_cgi 1 +.EE + +.PP -+If you want to allow httpd to access cifs file system, you must turn on the httpd_use_cifs boolean. ++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. + +.EX +.B setsebool -P httpd_use_cifs 1 +.EE + +.PP -+If you want to allow httpd processes to manage IPA conten, you must turn on the httpd_manage_ipa boolean. ++If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean. + +.EX +.B setsebool -P httpd_manage_ipa 1 +.EE + +.PP -+If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. + +.EX +.B setsebool -P httpd_run_stickshift 1 +.EE + +.PP -+If you want to allow httpd to read home directorie, you must turn on the httpd_enable_homedirs boolean. ++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. + +.EX +.B setsebool -P httpd_enable_homedirs 1 +.EE + +.PP -+If you want to allow Apache to communicate with avahi service via dbu, you must turn on the httpd_dbus_avahi boolean. ++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. + +.EX +.B setsebool -P httpd_dbus_avahi 1 @@ -19979,7 +20384,7 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow Apache to use mod_auth_pa, you must turn on the httpd_mod_auth_pam boolean. ++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. + +.EX +.B setsebool -P httpd_mod_auth_pam 1 @@ -19993,21 +20398,21 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow httpd scripts and modules execmem/execstac, you must turn on the httpd_execmem boolean. ++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. + +.EX +.B setsebool -P httpd_execmem 1 +.EE + +.PP -+If you want to allow httpd to access cifs file system, you must turn on the httpd_use_fusefs boolean. ++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. + +.EX +.B setsebool -P httpd_use_fusefs 1 +.EE + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. + +.EX +.B setsebool -P httpd_mod_auth_ntlm_winbind 1 @@ -20021,28 +20426,28 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. ++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. + +.EX +.B setsebool -P httpd_graceful_shutdown 1 +.EE + +.PP -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean. ++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. + +.EX +.B setsebool -P httpd_can_connect_ftp 1 +.EE + +.PP -+If you want to allow httpd to read user conten, you must turn on the httpd_read_user_content boolean. ++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. + +.EX +.B setsebool -P httpd_read_user_content 1 +.EE + +.PP -+If you want to allow httpd to access nfs file system, you must turn on the httpd_use_nfs boolean. ++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. + +.EX +.B setsebool -P httpd_use_nfs 1 @@ -20056,21 +20461,21 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean. ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. + +.EX +.B setsebool -P httpd_can_sendmail 1 +.EE + +.PP -+If you want to allow httpd to use built in scripting (usually php, you must turn on the httpd_builtin_scripting boolean. ++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. + +.EX +.B setsebool -P httpd_builtin_scripting 1 +.EE + +.PP -+If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean. ++If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean. + .EX -httpd_sys_content_t @@ -20080,7 +20485,7 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean. ++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. + +.EX +.B setsebool -P httpd_can_check_spam 1 @@ -20094,7 +20499,7 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow httpd to connect to memcache serve, you must turn on the httpd_can_network_memcache boolean. ++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. + +.EX +.B setsebool -P httpd_can_network_memcache 1 @@ -20115,7 +20520,7 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow httpd to access openstack port, you must turn on the httpd_use_openstack boolean. ++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean. + +.EX +.B setsebool -P httpd_use_openstack 1 @@ -20132,7 +20537,7 @@ index 16e8b13..4a9dd69 100644 +.EE + +.PP -+If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean. ++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. + .EX -httpd_sys_content_rw_t @@ -20141,7 +20546,7 @@ index 16e8b13..4a9dd69 100644 -- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + +.PP -+If you want to allow httpd daemon to change its resource limit, you must turn on the httpd_setrlimit boolean. ++If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean. + .EX -httpd_sys_content_ra_t @@ -20477,7 +20882,7 @@ index 16e8b13..4a9dd69 100644 +.br +.TP 5 +Paths: -+/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /etc/cherokee(/.*)? ++/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?, /etc/cherokee(/.*)? + +.EX +.PP @@ -20697,6 +21102,46 @@ index 16e8b13..4a9dd69 100644 + +.EX +.PP ++.B httpd_libra_content_t ++.EE ++ ++- Set files with the httpd_libra_content_t type, if you want to treat the files as httpd libra content. ++ ++ ++.EX ++.PP ++.B httpd_libra_htaccess_t ++.EE ++ ++- Set files with the httpd_libra_htaccess_t type, if you want to treat the file as a httpd libra access file. ++ ++ ++.EX ++.PP ++.B httpd_libra_ra_content_t ++.EE ++ ++- Set files with the httpd_libra_ra_content_t type, if you want to treat the files as httpd libra read/append content. ++ ++ ++.EX ++.PP ++.B httpd_libra_rw_content_t ++.EE ++ ++- Set files with the httpd_libra_rw_content_t type, if you want to treat the files as httpd libra read/write content. ++ ++ ++.EX ++.PP ++.B httpd_libra_script_exec_t ++.EE ++ ++- Set files with the httpd_libra_script_exec_t type, if you want to transition an executable to the httpd_libra_script_t domain. ++ ++ ++.EX ++.PP +.B httpd_lock_t +.EE + @@ -20713,7 +21158,7 @@ index 16e8b13..4a9dd69 100644 +.br +.TP 5 +Paths: -+/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/www(/.*)?/logs(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs ++/var/log/apache-ssl(2)?(/.*)?, /var/log/suphp\.log.*, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/www(/.*)?/logs(/.*)?, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs + +.EX +.PP @@ -21253,14 +21698,6 @@ index 16e8b13..4a9dd69 100644 + +.EX +.PP -+.B httpd_unconfined_script_exec_t -+.EE -+ -+- Set files with the httpd_unconfined_script_exec_t type, if you want to transition an executable to the httpd_unconfined_script_t domain. -+ -+ -+.EX -+.PP +.B httpd_unit_file_t +.EE + @@ -21428,7 +21865,7 @@ index 16e8b13..4a9dd69 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21481,7 +21918,7 @@ index 16e8b13..4a9dd69 100644 +The following process types are defined for httpd: + +.EX -+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_unconfined_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t ++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_libra_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t +.EE +.PP +Note: @@ -21517,7 +21954,7 @@ index 16e8b13..4a9dd69 100644 \ No newline at end of file diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8 new file mode 100644 -index 0000000..52d3a13 +index 0000000..5e360b5 --- /dev/null +++ b/man/man8/hwclock_selinux.8 @@ -0,0 +1,91 @@ @@ -21569,7 +22006,7 @@ index 0000000..52d3a13 +/usr/sbin/hwclock, /sbin/hwclock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21614,7 +22051,7 @@ index 0000000..52d3a13 +selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8 new file mode 100644 -index 0000000..0db3d9c +index 0000000..cdb61ed --- /dev/null +++ b/man/man8/iceauth_selinux.8 @@ -0,0 +1,89 @@ @@ -21664,7 +22101,7 @@ index 0000000..0db3d9c +/root/\.DCOP.*, /root/\.ICEauthority.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21709,7 +22146,7 @@ index 0000000..0db3d9c +selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8 new file mode 100644 -index 0000000..1b6f2d7 +index 0000000..09452ee --- /dev/null +++ b/man/man8/icecast_selinux.8 @@ -0,0 +1,126 @@ @@ -21792,7 +22229,7 @@ index 0000000..1b6f2d7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21842,7 +22279,7 @@ index 0000000..1b6f2d7 \ No newline at end of file diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8 new file mode 100644 -index 0000000..4ee5d9d +index 0000000..3cb3078 --- /dev/null +++ b/man/man8/ifconfig_selinux.8 @@ -0,0 +1,91 @@ @@ -21894,7 +22331,7 @@ index 0000000..4ee5d9d +/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /sbin/ipx_interface, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ip, /sbin/ipx_internal_net + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21939,7 +22376,7 @@ index 0000000..4ee5d9d +selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8 new file mode 100644 -index 0000000..9753d78 +index 0000000..dc4c84e --- /dev/null +++ b/man/man8/inetd_selinux.8 @@ -0,0 +1,171 @@ @@ -22043,7 +22480,7 @@ index 0000000..9753d78 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22116,7 +22553,7 @@ index 0000000..9753d78 +selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8 new file mode 100644 -index 0000000..14f4f10 +index 0000000..5e3e05e --- /dev/null +++ b/man/man8/init_selinux.8 @@ -0,0 +1,177 @@ @@ -22250,7 +22687,7 @@ index 0000000..14f4f10 +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22300,7 +22737,7 @@ index 0000000..14f4f10 \ No newline at end of file diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8 new file mode 100644 -index 0000000..cd5b4cb +index 0000000..a384c3a --- /dev/null +++ b/man/man8/initrc_selinux.8 @@ -0,0 +1,127 @@ @@ -22388,7 +22825,7 @@ index 0000000..cd5b4cb +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22433,7 +22870,7 @@ index 0000000..cd5b4cb +selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8 new file mode 100644 -index 0000000..2f7366a +index 0000000..b1b7c6c --- /dev/null +++ b/man/man8/innd_selinux.8 @@ -0,0 +1,147 @@ @@ -22476,7 +22913,7 @@ index 0000000..2f7366a +.br +.TP 5 +Paths: -+/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/innd, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf ++/usr/bin/suck, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/convdate, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/innd, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf + +.EX +.PP @@ -22515,7 +22952,7 @@ index 0000000..2f7366a +/var/run/innd(/.*)?, /var/run/news(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22586,7 +23023,7 @@ index 0000000..2f7366a +selinux(8), innd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8 new file mode 100644 -index 0000000..a8b11de +index 0000000..2ccbe62 --- /dev/null +++ b/man/man8/insmod_selinux.8 @@ -0,0 +1,121 @@ @@ -22610,7 +23047,7 @@ index 0000000..a8b11de +.EE + +.PP -+If you want to allow pppd to load kernel modules for certain modem, you must turn on the pppd_can_insmod boolean. ++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. + +.EX +.B setsebool -P pppd_can_insmod 1 @@ -22664,7 +23101,7 @@ index 0000000..a8b11de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22714,7 +23151,7 @@ index 0000000..a8b11de \ No newline at end of file diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8 new file mode 100644 -index 0000000..af875ea +index 0000000..267a622 --- /dev/null +++ b/man/man8/ipsec_selinux.8 @@ -0,0 +1,211 @@ @@ -22858,7 +23295,7 @@ index 0000000..af875ea +/var/run/racoon\.pid, /var/run/pluto(/.*)?, /var/racoon(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22931,7 +23368,7 @@ index 0000000..af875ea +selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8 new file mode 100644 -index 0000000..33f44c0 +index 0000000..3707b64 --- /dev/null +++ b/man/man8/iptables_selinux.8 @@ -0,0 +1,146 @@ @@ -22948,7 +23385,7 @@ index 0000000..33f44c0 + + +.PP -+If you want to allow dhcpc client applications to execute iptables command, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. + +.EX +.B setsebool -P dhcpc_exec_iptables 1 @@ -22991,7 +23428,7 @@ index 0000000..33f44c0 +.br +.TP 5 +Paths: -+/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /sbin/ebtables, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore ++/usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /sbin/ebtables, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-restore, /sbin/ebtables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore + +.EX +.PP @@ -23023,7 +23460,7 @@ index 0000000..33f44c0 +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/ip6tables.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/iptables.* ++/usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/ip6tables.*, /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/iptables.* + +.EX +.PP @@ -23034,7 +23471,7 @@ index 0000000..33f44c0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23084,7 +23521,7 @@ index 0000000..33f44c0 \ No newline at end of file diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8 new file mode 100644 -index 0000000..8742397 +index 0000000..c53c421 --- /dev/null +++ b/man/man8/irc_selinux.8 @@ -0,0 +1,119 @@ @@ -23138,7 +23575,7 @@ index 0000000..8742397 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23209,7 +23646,7 @@ index 0000000..8742397 +selinux(8), irc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8 new file mode 100644 -index 0000000..8cafced +index 0000000..f66b248 --- /dev/null +++ b/man/man8/irqbalance_selinux.8 @@ -0,0 +1,81 @@ @@ -23251,7 +23688,7 @@ index 0000000..8cafced + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23296,7 +23733,7 @@ index 0000000..8cafced +selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8 new file mode 100644 -index 0000000..0fdedd5 +index 0000000..f0f7b71 --- /dev/null +++ b/man/man8/irssi_selinux.8 @@ -0,0 +1,118 @@ @@ -23371,7 +23808,7 @@ index 0000000..0fdedd5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23421,7 +23858,7 @@ index 0000000..0fdedd5 \ No newline at end of file diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8 new file mode 100644 -index 0000000..4dea365 +index 0000000..6d11443 --- /dev/null +++ b/man/man8/iscsid_selinux.8 @@ -0,0 +1,117 @@ @@ -23473,7 +23910,7 @@ index 0000000..4dea365 +/sbin/brcm_iscsiuio, /sbin/iscsiuio, /usr/sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/brcm_iscsiuio, /sbin/iscsid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23544,7 +23981,7 @@ index 0000000..4dea365 +selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8 new file mode 100644 -index 0000000..a0ae96c +index 0000000..570e109 --- /dev/null +++ b/man/man8/iwhd_selinux.8 @@ -0,0 +1,105 @@ @@ -23610,7 +24047,7 @@ index 0000000..a0ae96c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23655,7 +24092,7 @@ index 0000000..a0ae96c +selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8 new file mode 100644 -index 0000000..dd38cf4 +index 0000000..51c4344 --- /dev/null +++ b/man/man8/jabberd_selinux.8 @@ -0,0 +1,153 @@ @@ -23721,7 +24158,7 @@ index 0000000..dd38cf4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23814,7 +24251,7 @@ index 0000000..dd38cf4 +selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8 new file mode 100644 -index 0000000..92a2c36 +index 0000000..9a6aaca --- /dev/null +++ b/man/man8/jockey_selinux.8 @@ -0,0 +1,93 @@ @@ -23865,10 +24302,10 @@ index 0000000..92a2c36 +.br +.TP 5 +Paths: -+/var/log/jockey\.log, /var/log/jockey(/.*)? ++/var/log/jockey\.log.*, /var/log/jockey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23913,7 +24350,7 @@ index 0000000..92a2c36 +selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8 new file mode 100644 -index 0000000..f5d4608 +index 0000000..24e83c0 --- /dev/null +++ b/man/man8/kadmind_selinux.8 @@ -0,0 +1,101 @@ @@ -23975,7 +24412,7 @@ index 0000000..f5d4608 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24020,7 +24457,7 @@ index 0000000..f5d4608 +selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8 new file mode 100644 -index 0000000..f15e342 +index 0000000..c6ca89e --- /dev/null +++ b/man/man8/kdump_selinux.8 @@ -0,0 +1,155 @@ @@ -24136,7 +24573,7 @@ index 0000000..f15e342 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24179,9 +24616,104 @@ index 0000000..f15e342 + +.SH "SEE ALSO" +selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/kdumpctl_selinux.8 b/man/man8/kdumpctl_selinux.8 +new file mode 100644 +index 0000000..da151a2 +--- /dev/null ++++ b/man/man8/kdumpctl_selinux.8 +@@ -0,0 +1,89 @@ ++.TH "kdumpctl_selinux" "8" "kdumpctl" "dwalsh@redhat.com" "kdumpctl SELinux Policy documentation" ++.SH "NAME" ++kdumpctl_selinux \- Security Enhanced Linux Policy for the kdumpctl processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the kdumpctl processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible. ++.PP ++The following file types are defined for kdumpctl: ++ ++ ++.EX ++.PP ++.B kdumpctl_exec_t ++.EE ++ ++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain. ++ ++ ++.EX ++.PP ++.B kdumpctl_tmp_t ++.EE ++ ++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B kdumpctl_unit_file_t ++.EE ++ ++- Set files with the kdumpctl_unit_file_t type, if you want to treat the files as kdumpctl unit content. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible. ++.PP ++The following process types are defined for kdumpctl: ++ ++.EX ++.B kdumpctl_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), kdumpctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8 new file mode 100644 -index 0000000..b277343 +index 0000000..d20bf5e --- /dev/null +++ b/man/man8/kdumpgui_selinux.8 @@ -0,0 +1,95 @@ @@ -24237,7 +24769,7 @@ index 0000000..b277343 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24282,7 +24814,7 @@ index 0000000..b277343 +selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8 new file mode 100644 -index 0000000..1eebbe8 +index 0000000..59fd0b3 --- /dev/null +++ b/man/man8/keyboardd_selinux.8 @@ -0,0 +1,73 @@ @@ -24316,7 +24848,7 @@ index 0000000..1eebbe8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24361,7 +24893,7 @@ index 0000000..1eebbe8 +selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8 new file mode 100644 -index 0000000..f24c690 +index 0000000..b521f85 --- /dev/null +++ b/man/man8/keystone_selinux.8 @@ -0,0 +1,147 @@ @@ -24441,7 +24973,7 @@ index 0000000..f24c690 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24514,7 +25046,7 @@ index 0000000..f24c690 +selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8 new file mode 100644 -index 0000000..d26771d +index 0000000..7edd41b --- /dev/null +++ b/man/man8/kismet_selinux.8 @@ -0,0 +1,161 @@ @@ -24610,7 +25142,7 @@ index 0000000..d26771d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24681,7 +25213,7 @@ index 0000000..d26771d +selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8 new file mode 100644 -index 0000000..b0dc370 +index 0000000..5dbcedd --- /dev/null +++ b/man/man8/klogd_selinux.8 @@ -0,0 +1,93 @@ @@ -24735,7 +25267,7 @@ index 0000000..b0dc370 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24780,7 +25312,7 @@ index 0000000..b0dc370 +selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8 new file mode 100644 -index 0000000..8720d94 +index 0000000..1606af5 --- /dev/null +++ b/man/man8/kpropd_selinux.8 @@ -0,0 +1,99 @@ @@ -24814,7 +25346,7 @@ index 0000000..8720d94 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24885,7 +25417,7 @@ index 0000000..8720d94 +selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8 new file mode 100644 -index 0000000..e96b9e3 +index 0000000..f3acfe7 --- /dev/null +++ b/man/man8/krb5kdc_selinux.8 @@ -0,0 +1,133 @@ @@ -24979,7 +25511,7 @@ index 0000000..e96b9e3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25024,7 +25556,7 @@ index 0000000..e96b9e3 +selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8 new file mode 100644 -index 0000000..d0b751b +index 0000000..3d5dd35 --- /dev/null +++ b/man/man8/ksmtuned_selinux.8 @@ -0,0 +1,111 @@ @@ -25096,7 +25628,7 @@ index 0000000..d0b751b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25141,7 +25673,7 @@ index 0000000..d0b751b +selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8 new file mode 100644 -index 0000000..2dd9ab9 +index 0000000..c5dca5b --- /dev/null +++ b/man/man8/ktalkd_selinux.8 @@ -0,0 +1,141 @@ @@ -25217,7 +25749,7 @@ index 0000000..2dd9ab9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25288,7 +25820,7 @@ index 0000000..2dd9ab9 +selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8 new file mode 100644 -index 0000000..79edab7 +index 0000000..e87fd5d --- /dev/null +++ b/man/man8/l2tpd_selinux.8 @@ -0,0 +1,137 @@ @@ -25335,7 +25867,7 @@ index 0000000..79edab7 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd ++/etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd, /etc/rc\.d/init\.d/xl2tpd + +.EX +.PP @@ -25358,7 +25890,7 @@ index 0000000..79edab7 +/var/run/prol2tpd(/.*)?, /var/run/prol2tpd\.pid, /var/run/prol2tpd\.ctl, /var/run/xl2tpd\.pid, /var/run/openl2tpd\.pid, /var/run/xl2tpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25431,7 +25963,7 @@ index 0000000..79edab7 +selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8 new file mode 100644 -index 0000000..1e6fe8a +index 0000000..67c928e --- /dev/null +++ b/man/man8/ldconfig_selinux.8 @@ -0,0 +1,93 @@ @@ -25485,7 +26017,7 @@ index 0000000..1e6fe8a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25530,17 +26062,33 @@ index 0000000..1e6fe8a +selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/libra_selinux.8 b/man/man8/libra_selinux.8 new file mode 100644 -index 0000000..8b6ac6e +index 0000000..cef3619 --- /dev/null +++ b/man/man8/libra_selinux.8 -@@ -0,0 +1,173 @@ +@@ -0,0 +1,185 @@ +.TH "libra_selinux" "8" "libra" "dwalsh@redhat.com" "libra SELinux Policy documentation" +.SH "NAME" +libra_selinux \- Security Enhanced Linux Policy for the libra processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the libra processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the libra_t, libra_mail_t, libra_net_t, libra_min_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the libra_t, libra_mail_t, libra_net_t, libra_min_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25638,7 +26186,7 @@ index 0000000..8b6ac6e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25663,10 +26211,6 @@ index 0000000..8b6ac6e +.TP 10 +.EE + -+ -+Default Defined Ports: -+tcp 8021 -+.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -25709,7 +26253,7 @@ index 0000000..8b6ac6e +selinux(8), libra(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8 new file mode 100644 -index 0000000..a6199d5 +index 0000000..630fc83 --- /dev/null +++ b/man/man8/lircd_selinux.8 @@ -0,0 +1,131 @@ @@ -25775,7 +26319,7 @@ index 0000000..a6199d5 +/var/run/lirc(/.*)?, /var/run/lircd(/.*)?, /var/run/lircd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25846,7 +26390,7 @@ index 0000000..a6199d5 +selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8 new file mode 100644 -index 0000000..bb62485 +index 0000000..6e7333b --- /dev/null +++ b/man/man8/livecd_selinux.8 @@ -0,0 +1,81 @@ @@ -25888,7 +26432,7 @@ index 0000000..bb62485 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25933,7 +26477,7 @@ index 0000000..bb62485 +selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8 new file mode 100644 -index 0000000..c803575 +index 0000000..748b532 --- /dev/null +++ b/man/man8/lldpad_selinux.8 @@ -0,0 +1,105 @@ @@ -25999,7 +26543,7 @@ index 0000000..c803575 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26044,7 +26588,7 @@ index 0000000..c803575 +selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/load_selinux.8 b/man/man8/load_selinux.8 new file mode 100644 -index 0000000..633de07 +index 0000000..119294b --- /dev/null +++ b/man/man8/load_selinux.8 @@ -0,0 +1,118 @@ @@ -26068,14 +26612,14 @@ index 0000000..633de07 +.EE + +.PP -+If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. + +.EX +.B setsebool -P xdm_exec_bootloader 1 +.EE + +.PP -+If you want to allow all domains to have the kernel load module, you must turn on the domain_kernel_load_modules boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. + +.EX +.B setsebool -P domain_kernel_load_modules 1 @@ -26119,7 +26663,7 @@ index 0000000..633de07 +/usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26169,7 +26713,7 @@ index 0000000..633de07 \ No newline at end of file diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8 new file mode 100644 -index 0000000..82ada62 +index 0000000..488849f --- /dev/null +++ b/man/man8/loadkeys_selinux.8 @@ -0,0 +1,77 @@ @@ -26207,7 +26751,7 @@ index 0000000..82ada62 +/usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26252,7 +26796,7 @@ index 0000000..82ada62 +selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8 new file mode 100644 -index 0000000..c576322 +index 0000000..ac8776b --- /dev/null +++ b/man/man8/locate_selinux.8 @@ -0,0 +1,103 @@ @@ -26316,7 +26860,7 @@ index 0000000..c576322 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26361,7 +26905,7 @@ index 0000000..c576322 +selinux(8), locate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8 new file mode 100644 -index 0000000..b3a911c +index 0000000..ad0ae47 --- /dev/null +++ b/man/man8/lockdev_selinux.8 @@ -0,0 +1,81 @@ @@ -26403,7 +26947,7 @@ index 0000000..b3a911c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26519,7 +27063,7 @@ index 0000000..0edd73f +selinux(8), semanage(8). diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8 new file mode 100644 -index 0000000..0141e19 +index 0000000..caaa89d --- /dev/null +++ b/man/man8/logrotate_selinux.8 @@ -0,0 +1,123 @@ @@ -26603,7 +27147,7 @@ index 0000000..0141e19 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26648,7 +27192,7 @@ index 0000000..0141e19 +selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8 new file mode 100644 -index 0000000..294e335 +index 0000000..ee56475 --- /dev/null +++ b/man/man8/logwatch_selinux.8 @@ -0,0 +1,135 @@ @@ -26744,7 +27288,7 @@ index 0000000..294e335 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26789,7 +27333,7 @@ index 0000000..294e335 +selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8 new file mode 100644 -index 0000000..5b5ff79 +index 0000000..45fa127 --- /dev/null +++ b/man/man8/lpd_selinux.8 @@ -0,0 +1,122 @@ @@ -26806,7 +27350,7 @@ index 0000000..5b5ff79 + + +.PP -+If you want to use lpd server instead of cup, you must turn on the use_lpd_server boolean. ++If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean. + +.EX +.B setsebool -P use_lpd_server 1 @@ -26868,7 +27412,7 @@ index 0000000..5b5ff79 +/var/spool/turboprint(/.*)?, /var/run/lprng(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26918,7 +27462,7 @@ index 0000000..5b5ff79 \ No newline at end of file diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8 new file mode 100644 -index 0000000..6808de7 +index 0000000..e2d3b05 --- /dev/null +++ b/man/man8/lpr_selinux.8 @@ -0,0 +1,99 @@ @@ -26978,7 +27522,7 @@ index 0000000..6808de7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27023,7 +27567,7 @@ index 0000000..6808de7 +selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8 new file mode 100644 -index 0000000..2114550 +index 0000000..a2c5403 --- /dev/null +++ b/man/man8/lsassd_selinux.8 @@ -0,0 +1,113 @@ @@ -27094,10 +27638,10 @@ index 0000000..2114550 +.br +.TP 5 +Paths: -+/var/lib/likewise-open/rpc/lsass, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd ++/var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd, /var/lib/likewise-open/rpc/lsass + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27142,7 +27686,7 @@ index 0000000..2114550 +selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8 new file mode 100644 -index 0000000..e5ac861 +index 0000000..143acc0 --- /dev/null +++ b/man/man8/lvm_selinux.8 @@ -0,0 +1,137 @@ @@ -27185,7 +27729,7 @@ index 0000000..e5ac861 +.br +.TP 5 +Paths: -+/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgchange, /sbin/kpartx, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /sbin/lvremove, /usr/sbin/pvremove, /usr/sbin/e2fsadm ++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /usr/sbin/multipath\.static, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/vgchange, /sbin/kpartx, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /sbin/lvremove, /usr/sbin/pvremove, /usr/sbin/e2fsadm + +.EX +.PP @@ -27240,7 +27784,7 @@ index 0000000..e5ac861 +/var/run/lvm(/.*)?, /var/run/multipathd\.sock, /var/run/dmevent.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27285,7 +27829,7 @@ index 0000000..e5ac861 +selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8 new file mode 100644 -index 0000000..ac1ec18 +index 0000000..f030703 --- /dev/null +++ b/man/man8/lwiod_selinux.8 @@ -0,0 +1,97 @@ @@ -27343,7 +27887,7 @@ index 0000000..ac1ec18 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27388,7 +27932,7 @@ index 0000000..ac1ec18 +selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8 new file mode 100644 -index 0000000..1498718 +index 0000000..3cff5a3 --- /dev/null +++ b/man/man8/lwregd_selinux.8 @@ -0,0 +1,101 @@ @@ -27450,7 +27994,7 @@ index 0000000..1498718 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27495,7 +28039,7 @@ index 0000000..1498718 +selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8 new file mode 100644 -index 0000000..5fc974a +index 0000000..9d5967e --- /dev/null +++ b/man/man8/lwsmd_selinux.8 @@ -0,0 +1,97 @@ @@ -27553,7 +28097,7 @@ index 0000000..5fc974a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27598,7 +28142,7 @@ index 0000000..5fc974a +selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mail_selinux.8 b/man/man8/mail_selinux.8 new file mode 100644 -index 0000000..da63ab9 +index 0000000..6bed566 --- /dev/null +++ b/man/man8/mail_selinux.8 @@ -0,0 +1,293 @@ @@ -27615,28 +28159,28 @@ index 0000000..da63ab9 + + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the postfix_local_write_mail_spool boolean. ++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean. + +.EX +.B setsebool -P postfix_local_write_mail_spool 1 +.EE + +.PP -+If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean. ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. + +.EX +.B setsebool -P httpd_can_sendmail 1 +.EE + +.PP -+If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. + +.EX +.B setsebool -P logging_syslogd_can_sendmail 1 +.EE + +.PP -+If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. + +.EX +.B setsebool -P gitosis_can_sendmail 1 @@ -27822,7 +28366,7 @@ index 0000000..da63ab9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27898,7 +28442,7 @@ index 0000000..da63ab9 \ No newline at end of file diff --git a/man/man8/mailman_selinux.8 b/man/man8/mailman_selinux.8 new file mode 100644 -index 0000000..02ff223 +index 0000000..4333059 --- /dev/null +++ b/man/man8/mailman_selinux.8 @@ -0,0 +1,179 @@ @@ -28038,7 +28582,7 @@ index 0000000..02ff223 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28083,7 +28627,7 @@ index 0000000..02ff223 +selinux(8), mailman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/matahari_selinux.8 b/man/man8/matahari_selinux.8 new file mode 100644 -index 0000000..9c085f6 +index 0000000..ffc17aa --- /dev/null +++ b/man/man8/matahari_selinux.8 @@ -0,0 +1,225 @@ @@ -28138,7 +28682,7 @@ index 0000000..9c085f6 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/rc\.d/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net ++/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/rc\.d/init\.d/matahari-net, /etc/rc\.d/init.d/matahari-sysconfig-console + +.EX +.PP @@ -28241,7 +28785,7 @@ index 0000000..9c085f6 +/var/run/matahari(/.*)?, /var/run/matahari\.pid, /var/run/matahari-broker\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28314,7 +28858,7 @@ index 0000000..9c085f6 +selinux(8), matahari(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8 new file mode 100644 -index 0000000..263046c +index 0000000..0d5483c --- /dev/null +++ b/man/man8/mcelog_selinux.8 @@ -0,0 +1,89 @@ @@ -28364,7 +28908,7 @@ index 0000000..263046c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28409,7 +28953,7 @@ index 0000000..263046c +selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8 new file mode 100644 -index 0000000..b718a98 +index 0000000..beefadb --- /dev/null +++ b/man/man8/mdadm_selinux.8 @@ -0,0 +1,103 @@ @@ -28473,7 +29017,7 @@ index 0000000..b718a98 +/var/run/mdadm(/.*)?, /dev/md/.*, /dev/.mdadm\.map + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28518,7 +29062,7 @@ index 0000000..b718a98 +selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8 new file mode 100644 -index 0000000..edd0b23 +index 0000000..92c134f --- /dev/null +++ b/man/man8/memcached_selinux.8 @@ -0,0 +1,150 @@ @@ -28535,7 +29079,7 @@ index 0000000..edd0b23 + + +.PP -+If you want to allow httpd to connect to memcache serve, you must turn on the httpd_can_network_memcache boolean. ++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. + +.EX +.B setsebool -P httpd_can_network_memcache 1 @@ -28597,7 +29141,7 @@ index 0000000..edd0b23 +/var/run/ipa_memcached(/.*)?, /var/run/memcached(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28675,7 +29219,7 @@ index 0000000..edd0b23 \ No newline at end of file diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8 new file mode 100644 -index 0000000..57779c6 +index 0000000..01fc97c --- /dev/null +++ b/man/man8/mencoder_selinux.8 @@ -0,0 +1,73 @@ @@ -28709,7 +29253,7 @@ index 0000000..57779c6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28754,7 +29298,7 @@ index 0000000..57779c6 +selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8 new file mode 100644 -index 0000000..a764af8 +index 0000000..f7d8a3b --- /dev/null +++ b/man/man8/mock_selinux.8 @@ -0,0 +1,142 @@ @@ -28853,7 +29397,7 @@ index 0000000..a764af8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28903,7 +29447,7 @@ index 0000000..a764af8 \ No newline at end of file diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8 new file mode 100644 -index 0000000..144fd3c +index 0000000..e87cce2 --- /dev/null +++ b/man/man8/modemmanager_selinux.8 @@ -0,0 +1,73 @@ @@ -28937,7 +29481,7 @@ index 0000000..144fd3c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28982,7 +29526,7 @@ index 0000000..144fd3c +selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8 new file mode 100644 -index 0000000..b428089 +index 0000000..d9d4da8 --- /dev/null +++ b/man/man8/mongod_selinux.8 @@ -0,0 +1,151 @@ @@ -29037,7 +29581,7 @@ index 0000000..b428089 +.br +.TP 5 +Paths: -+/var/log/aeolus-conductor/dbomatic\.log, /var/log/mongodb(/.*)? ++/var/log/aeolus-conductor/dbomatic\.log.*, /var/log/mongodb(/.*)? + +.EX +.PP @@ -29068,7 +29612,7 @@ index 0000000..b428089 +/var/run/mongodb(/.*)?, /var/run/aeolus/dbomatic\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29139,7 +29683,7 @@ index 0000000..b428089 +selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8 new file mode 100644 -index 0000000..60bf2ec +index 0000000..264fa29 --- /dev/null +++ b/man/man8/mount_selinux.8 @@ -0,0 +1,161 @@ @@ -29163,7 +29707,7 @@ index 0000000..60bf2ec +.EE + +.PP -+If you want to allow xguest users to mount removable medi, you must turn on the xguest_mount_media boolean. ++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. + +.EX +.B setsebool -P xguest_mount_media 1 @@ -29257,7 +29801,7 @@ index 0000000..60bf2ec +/run/mount(/.*)?, /dev/\.mount(/.*)?, /var/run/mount(/.*)?, /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29307,7 +29851,7 @@ index 0000000..60bf2ec \ No newline at end of file diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8 new file mode 100644 -index 0000000..64301cd +index 0000000..aabcac2 --- /dev/null +++ b/man/man8/mozilla_selinux.8 @@ -0,0 +1,196 @@ @@ -29324,7 +29868,7 @@ index 0000000..64301cd + + +.PP -+If you want to allow confined web browsers to read home directory conten, you must turn on the mozilla_read_content boolean. ++If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean. + +.EX +.B setsebool -P mozilla_read_content 1 @@ -29338,7 +29882,7 @@ index 0000000..64301cd +.EE + +.PP -+If you want to allow mozilla_plugins to create random content in the users home director, you must turn on the mozilla_plugin_enable_homedirs boolean. ++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. + +.EX +.B setsebool -P mozilla_plugin_enable_homedirs 1 @@ -29460,7 +30004,7 @@ index 0000000..64301cd + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29510,7 +30054,7 @@ index 0000000..64301cd \ No newline at end of file diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8 new file mode 100644 -index 0000000..e8c3b7f +index 0000000..90cd776 --- /dev/null +++ b/man/man8/mpd_selinux.8 @@ -0,0 +1,216 @@ @@ -29527,7 +30071,7 @@ index 0000000..e8c3b7f + + +.PP -+If you want to allow mplayer executable stac, you must turn on the mplayer_execstack boolean. ++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. + +.EX +.B setsebool -P mplayer_execstack 1 @@ -29548,14 +30092,14 @@ index 0000000..e8c3b7f +.EE + +.PP -+If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean. ++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. + +.EX +.B setsebool -P unconfined_mplayer 1 +.EE + +.PP -+If you want to allow all daemons to write corefiles to , you must turn on the daemons_dump_core boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. + +.EX +.B setsebool -P daemons_dump_core 1 @@ -29657,7 +30201,7 @@ index 0000000..e8c3b7f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29733,7 +30277,7 @@ index 0000000..e8c3b7f \ No newline at end of file diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8 new file mode 100644 -index 0000000..1413f1e +index 0000000..d79c378 --- /dev/null +++ b/man/man8/mplayer_selinux.8 @@ -0,0 +1,137 @@ @@ -29750,14 +30294,14 @@ index 0000000..1413f1e + + +.PP -+If you want to allow mplayer executable stac, you must turn on the mplayer_execstack boolean. ++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. + +.EX +.B setsebool -P mplayer_execstack 1 +.EE + +.PP -+If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean. ++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. + +.EX +.B setsebool -P unconfined_mplayer 1 @@ -29827,7 +30371,7 @@ index 0000000..1413f1e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29877,7 +30421,7 @@ index 0000000..1413f1e \ No newline at end of file diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8 new file mode 100644 -index 0000000..cc7f765 +index 0000000..58fd320 --- /dev/null +++ b/man/man8/mrtg_selinux.8 @@ -0,0 +1,131 @@ @@ -29969,7 +30513,7 @@ index 0000000..cc7f765 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30014,7 +30558,7 @@ index 0000000..cc7f765 +selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8 new file mode 100644 -index 0000000..2ff3a45 +index 0000000..f950632 --- /dev/null +++ b/man/man8/mscan_selinux.8 @@ -0,0 +1,145 @@ @@ -30031,14 +30575,14 @@ index 0000000..2ff3a45 + + +.PP -+If you want to allow clamscan to read user conten, you must turn on the clamscan_read_user_content boolean. ++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. + +.EX +.B setsebool -P clamscan_read_user_content 1 +.EE + +.PP -+If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. + +.EX +.B setsebool -P clamscan_can_scan_system 1 @@ -30116,7 +30660,7 @@ index 0000000..2ff3a45 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30166,7 +30710,7 @@ index 0000000..2ff3a45 \ No newline at end of file diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8 new file mode 100644 -index 0000000..214e09d +index 0000000..5be69aa --- /dev/null +++ b/man/man8/munin_selinux.8 @@ -0,0 +1,175 @@ @@ -30274,7 +30818,7 @@ index 0000000..214e09d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30347,7 +30891,7 @@ index 0000000..214e09d +selinux(8), munin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8 new file mode 100644 -index 0000000..0b738df +index 0000000..8c48ea1 --- /dev/null +++ b/man/man8/mysqld_selinux.8 @@ -0,0 +1,230 @@ @@ -30364,14 +30908,14 @@ index 0000000..0b738df + + +.PP -+If you want to allow mysqld to connect to all port, you must turn on the mysql_connect_any boolean. ++If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean. + +.EX +.B setsebool -P mysql_connect_any 1 +.EE + +.PP -+If you want to allow users to connect to the local mysql serve, you must turn on the user_mysql_connect boolean. ++If you want to allow users to connect to the local mysql server, you must turn on the user_mysql_connect boolean. + +.EX +.B setsebool -P user_mysql_connect 1 @@ -30497,7 +31041,7 @@ index 0000000..0b738df +/var/run/mysqld(/.*)?, /var/lib/mysql/mysql\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30584,7 +31128,7 @@ index 0000000..0b738df \ No newline at end of file diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8 new file mode 100644 -index 0000000..8b2a8e0 +index 0000000..20bc2e9 --- /dev/null +++ b/man/man8/mysqlmanagerd_selinux.8 @@ -0,0 +1,115 @@ @@ -30634,7 +31178,7 @@ index 0000000..8b2a8e0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30705,7 +31249,7 @@ index 0000000..8b2a8e0 +selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8 new file mode 100644 -index 0000000..42e0804 +index 0000000..131c93d --- /dev/null +++ b/man/man8/nagios_selinux.8 @@ -0,0 +1,235 @@ @@ -30838,7 +31382,7 @@ index 0000000..42e0804 +.br +.TP 5 +Paths: -+/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_dns ++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_dns + +.EX +.PP @@ -30901,7 +31445,7 @@ index 0000000..42e0804 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30945,7 +31489,7 @@ index 0000000..42e0804 +.SH "SEE ALSO" +selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -index fce0b48..9f6f9d8 100644 +index fce0b48..8828c8c 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 @@ -1,30 +1,221 @@ @@ -31051,7 +31595,7 @@ index fce0b48..9f6f9d8 100644 +.br +.TP 5 +Paths: -+/var/named/chroot/etc/named\.root\.hints, /etc/named\.root\.hints, /var/named/chroot(/.*)?, /var/named/named\.ca, /etc/unbound(/.*)?, /var/named/chroot/etc/named\.caching-nameserver\.conf, /etc/named\.rfc1912.zones, /etc/named\.caching-nameserver\.conf, /etc/named\.conf, /var/named/chroot/var/named/named\.ca, /var/named/chroot/etc/named\.conf, /etc/rndc.*, /var/named/chroot/etc/named\.rfc1912.zones ++/var/named/chroot/etc/named\.root\.hints, /var/named/chroot(/.*)?, /var/named/named\.ca, /etc/unbound(/.*)?, /var/named/chroot/etc/named\.caching-nameserver\.conf, /etc/named\.rfc1912.zones, /etc/named\.caching-nameserver\.conf, /etc/named\.conf, /var/named/chroot/var/named/named\.ca, /var/named/chroot/etc/named\.conf, /etc/rndc.*, /var/named/chroot/etc/named\.rfc1912.zones, /etc/named\.root\.hints + +.EX +.PP @@ -31142,7 +31686,7 @@ index fce0b48..9f6f9d8 100644 +/var/named/chroot/var/named(/.*)?, /var/named(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31192,7 +31736,7 @@ index fce0b48..9f6f9d8 100644 \ No newline at end of file diff --git a/man/man8/namespace_selinux.8 b/man/man8/namespace_selinux.8 new file mode 100644 -index 0000000..75eb5b6 +index 0000000..3d5eb82 --- /dev/null +++ b/man/man8/namespace_selinux.8 @@ -0,0 +1,87 @@ @@ -31240,7 +31784,7 @@ index 0000000..75eb5b6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31285,7 +31829,7 @@ index 0000000..75eb5b6 +selinux(8), namespace(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8 new file mode 100644 -index 0000000..35fe63a +index 0000000..b4ceef0 --- /dev/null +++ b/man/man8/ncftool_selinux.8 @@ -0,0 +1,73 @@ @@ -31319,7 +31863,7 @@ index 0000000..35fe63a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31364,7 +31908,7 @@ index 0000000..35fe63a +selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8 new file mode 100644 -index 0000000..5d9e693 +index 0000000..1e7e844 --- /dev/null +++ b/man/man8/ndc_selinux.8 @@ -0,0 +1,87 @@ @@ -31412,7 +31956,7 @@ index 0000000..5d9e693 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31457,7 +32001,7 @@ index 0000000..5d9e693 +selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlabel_selinux.8 b/man/man8/netlabel_selinux.8 new file mode 100644 -index 0000000..ef88282 +index 0000000..5c0e840 --- /dev/null +++ b/man/man8/netlabel_selinux.8 @@ -0,0 +1,77 @@ @@ -31495,7 +32039,7 @@ index 0000000..ef88282 +/sbin/netlabelctl, /usr/sbin/netlabelctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31540,7 +32084,7 @@ index 0000000..ef88282 +selinux(8), netlabel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8 new file mode 100644 -index 0000000..2567762 +index 0000000..e698666 --- /dev/null +++ b/man/man8/netlogond_selinux.8 @@ -0,0 +1,101 @@ @@ -31602,7 +32146,7 @@ index 0000000..2567762 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31647,7 +32191,7 @@ index 0000000..2567762 +selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8 new file mode 100644 -index 0000000..bd2a11b +index 0000000..159b943 --- /dev/null +++ b/man/man8/netutils_selinux.8 @@ -0,0 +1,99 @@ @@ -31707,7 +32251,7 @@ index 0000000..bd2a11b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31752,7 +32296,7 @@ index 0000000..bd2a11b +selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8 new file mode 100644 -index 0000000..ab0d67b +index 0000000..e87c6b4 --- /dev/null +++ b/man/man8/newrole_selinux.8 @@ -0,0 +1,87 @@ @@ -31800,7 +32344,7 @@ index 0000000..ab0d67b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31845,7 +32389,7 @@ index 0000000..ab0d67b +selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8 new file mode 100644 -index 0000000..a1df581 +index 0000000..2256e23 --- /dev/null +++ b/man/man8/nfsd_selinux.8 @@ -0,0 +1,304 @@ @@ -31862,14 +32406,14 @@ index 0000000..a1df581 + + +.PP -+If you want to allow xen to manage nfs file, you must turn on the xen_use_nfs boolean. ++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. + +.EX +.B setsebool -P xen_use_nfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. + +.EX +.B setsebool -P virt_use_nfs 1 @@ -31883,7 +32427,7 @@ index 0000000..a1df581 +.EE + +.PP -+If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean. ++If you want to allow qemu to use nfs file systems, you must turn on the qemu_use_nfs boolean. + +.EX +.B setsebool -P qemu_use_nfs 1 @@ -31897,14 +32441,14 @@ index 0000000..a1df581 +.EE + +.PP -+If you want to allow rsync servers to share nfs files system, you must turn on the rsync_use_nfs boolean. ++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. + +.EX +.B setsebool -P rsync_use_nfs 1 +.EE + +.PP -+If you want to support NFS home directorie, you must turn on the use_nfs_home_dirs boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. + +.EX +.B setsebool -P use_nfs_home_dirs 1 @@ -31918,7 +32462,7 @@ index 0000000..a1df581 +.EE + +.PP -+If you want to allow httpd to access nfs file system, you must turn on the httpd_use_nfs boolean. ++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. + +.EX +.B setsebool -P httpd_use_nfs 1 @@ -31939,7 +32483,7 @@ index 0000000..a1df581 +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean. ++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. + +.EX +.B setsebool -P sanlock_use_nfs 1 @@ -31967,7 +32511,7 @@ index 0000000..a1df581 +.EE + +.PP -+If you want to allow the portage domains to use NFS mounts (regular nfs_t, you must turn on the portage_use_nfs boolean. ++If you want to allow the portage domains to use NFS mounts (regular nfs_t), you must turn on the portage_use_nfs boolean. + +.EX +.B setsebool -P portage_use_nfs 1 @@ -32078,7 +32622,7 @@ index 0000000..a1df581 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32265,7 +32809,7 @@ index 0000000..87983d6 +selinux(8), nginx(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8 new file mode 100644 -index 0000000..0a4ae8d +index 0000000..7fbdb85 --- /dev/null +++ b/man/man8/nmbd_selinux.8 @@ -0,0 +1,125 @@ @@ -32325,7 +32869,7 @@ index 0000000..0a4ae8d +/var/run/samba/nmbd(/.*)?, /var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32396,7 +32940,7 @@ index 0000000..0a4ae8d +selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nova_selinux.8 b/man/man8/nova_selinux.8 new file mode 100644 -index 0000000..33138c0 +index 0000000..d7c5ff3 --- /dev/null +++ b/man/man8/nova_selinux.8 @@ -0,0 +1,383 @@ @@ -32740,7 +33284,7 @@ index 0000000..33138c0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32785,7 +33329,7 @@ index 0000000..33138c0 +selinux(8), nova(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8 new file mode 100644 -index 0000000..6652860 +index 0000000..6a0a8ea --- /dev/null +++ b/man/man8/nrpe_selinux.8 @@ -0,0 +1,103 @@ @@ -32849,7 +33393,7 @@ index 0000000..6652860 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32894,7 +33438,7 @@ index 0000000..6652860 +selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8 new file mode 100644 -index 0000000..3500305 +index 0000000..0501d6c --- /dev/null +++ b/man/man8/nscd_selinux.8 @@ -0,0 +1,138 @@ @@ -32989,7 +33533,7 @@ index 0000000..3500305 +/var/run/nscd\.pid, /var/run/nscd(/.*)?, /var/db/nscd(/.*)?, /var/run/\.nscd_socket, /var/cache/nscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33039,7 +33583,7 @@ index 0000000..3500305 \ No newline at end of file diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8 new file mode 100644 -index 0000000..0e5ecff +index 0000000..1188ea0 --- /dev/null +++ b/man/man8/nslcd_selinux.8 @@ -0,0 +1,111 @@ @@ -33111,7 +33655,7 @@ index 0000000..0e5ecff + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33156,7 +33700,7 @@ index 0000000..0e5ecff +selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8 new file mode 100644 -index 0000000..584ceae +index 0000000..52c56b8 --- /dev/null +++ b/man/man8/ntop_selinux.8 @@ -0,0 +1,155 @@ @@ -33244,7 +33788,7 @@ index 0000000..584ceae + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33317,7 +33861,7 @@ index 0000000..584ceae +selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8 new file mode 100644 -index 0000000..593a222 +index 0000000..3a52789 --- /dev/null +++ b/man/man8/ntpd_selinux.8 @@ -0,0 +1,189 @@ @@ -33441,7 +33985,7 @@ index 0000000..593a222 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33512,7 +34056,7 @@ index 0000000..593a222 +selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8 new file mode 100644 -index 0000000..e92cd9a +index 0000000..05c319a --- /dev/null +++ b/man/man8/numad_selinux.8 @@ -0,0 +1,97 @@ @@ -33570,7 +34114,7 @@ index 0000000..e92cd9a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33615,7 +34159,7 @@ index 0000000..e92cd9a +selinux(8), numad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8 new file mode 100644 -index 0000000..57e97d3 +index 0000000..742a692 --- /dev/null +++ b/man/man8/nut_selinux.8 @@ -0,0 +1,123 @@ @@ -33699,7 +34243,7 @@ index 0000000..57e97d3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33744,7 +34288,7 @@ index 0000000..57e97d3 +selinux(8), nut(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nx_selinux.8 b/man/man8/nx_selinux.8 new file mode 100644 -index 0000000..643c0cf +index 0000000..7383682 --- /dev/null +++ b/man/man8/nx_selinux.8 @@ -0,0 +1,131 @@ @@ -33836,7 +34380,7 @@ index 0000000..643c0cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33943,7 +34487,7 @@ index 0000000..2746ea3 +selinux(8), semanage(8). diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8 new file mode 100644 -index 0000000..0455948 +index 0000000..b43de4f --- /dev/null +++ b/man/man8/obex_selinux.8 @@ -0,0 +1,73 @@ @@ -33977,7 +34521,7 @@ index 0000000..0455948 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34022,7 +34566,7 @@ index 0000000..0455948 +selinux(8), obex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8 new file mode 100644 -index 0000000..4c91162 +index 0000000..5697e76 --- /dev/null +++ b/man/man8/oddjob_selinux.8 @@ -0,0 +1,122 @@ @@ -34039,7 +34583,7 @@ index 0000000..4c91162 + + +.PP -+If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. + +.EX +.B setsebool -P httpd_use_oddjob 1 @@ -34101,7 +34645,7 @@ index 0000000..4c91162 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34151,7 +34695,7 @@ index 0000000..4c91162 \ No newline at end of file diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8 new file mode 100644 -index 0000000..f3ec094 +index 0000000..c9e9507 --- /dev/null +++ b/man/man8/openct_selinux.8 @@ -0,0 +1,85 @@ @@ -34197,7 +34741,7 @@ index 0000000..f3ec094 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34242,7 +34786,7 @@ index 0000000..f3ec094 +selinux(8), openct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8 new file mode 100644 -index 0000000..e2527d0 +index 0000000..f6b1589 --- /dev/null +++ b/man/man8/openvpn_selinux.8 @@ -0,0 +1,182 @@ @@ -34259,7 +34803,7 @@ index 0000000..e2527d0 + + +.PP -+If you want to allow openvpn to read home directorie, you must turn on the openvpn_enable_homedirs boolean. ++If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean. + +.EX +.B setsebool -P openvpn_enable_homedirs 1 @@ -34353,7 +34897,7 @@ index 0000000..e2527d0 +/var/run/openvpn(/.*)?, /var/run/openvpn\.client.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34431,7 +34975,7 @@ index 0000000..e2527d0 \ No newline at end of file diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8 new file mode 100644 -index 0000000..a842d3d +index 0000000..3dee1f7 --- /dev/null +++ b/man/man8/pacemaker_selinux.8 @@ -0,0 +1,123 @@ @@ -34515,7 +35059,7 @@ index 0000000..a842d3d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34560,7 +35104,7 @@ index 0000000..a842d3d +selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8 new file mode 100644 -index 0000000..8ebf008 +index 0000000..9bdc166 --- /dev/null +++ b/man/man8/pads_selinux.8 @@ -0,0 +1,101 @@ @@ -34622,7 +35166,7 @@ index 0000000..8ebf008 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34667,7 +35211,7 @@ index 0000000..8ebf008 +selinux(8), pads(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8 new file mode 100644 -index 0000000..2a36018 +index 0000000..c98960e --- /dev/null +++ b/man/man8/passenger_selinux.8 @@ -0,0 +1,127 @@ @@ -34755,7 +35299,7 @@ index 0000000..2a36018 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34800,7 +35344,7 @@ index 0000000..2a36018 +selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8 new file mode 100644 -index 0000000..0efdcf6 +index 0000000..1b99b6f --- /dev/null +++ b/man/man8/passwd_selinux.8 @@ -0,0 +1,103 @@ @@ -34864,7 +35408,7 @@ index 0000000..0efdcf6 +/etc/passwd\.OLD, /etc/ptmptmp, /etc/group[-\+]?, /etc/passwd[-\+]? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34909,7 +35453,7 @@ index 0000000..0efdcf6 +selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8 new file mode 100644 -index 0000000..f87af16 +index 0000000..c2a4661 --- /dev/null +++ b/man/man8/pcscd_selinux.8 @@ -0,0 +1,85 @@ @@ -34955,7 +35499,7 @@ index 0000000..f87af16 +/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pub, /var/run/pcscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35000,7 +35544,7 @@ index 0000000..f87af16 +selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8 new file mode 100644 -index 0000000..6a16517 +index 0000000..95434a5 --- /dev/null +++ b/man/man8/pegasus_selinux.8 @@ -0,0 +1,172 @@ @@ -35096,7 +35640,7 @@ index 0000000..6a16517 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35176,42 +35720,31 @@ index 0000000..6a16517 + +.SH "SEE ALSO" +selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8 +diff --git a/man/man8/phpfpm_selinux.8 b/man/man8/phpfpm_selinux.8 new file mode 100644 -index 0000000..b791a0d +index 0000000..343e576 --- /dev/null -+++ b/man/man8/ping_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "ping_selinux" "8" "ping" "dwalsh@redhat.com" "ping SELinux Policy documentation" ++++ b/man/man8/phpfpm_selinux.8 +@@ -0,0 +1,111 @@ ++.TH "phpfpm_selinux" "8" "phpfpm" "dwalsh@redhat.com" "phpfpm SELinux Policy documentation" +.SH "NAME" -+ping_selinux \- Security Enhanced Linux Policy for the ping processes ++phpfpm_selinux \- Security Enhanced Linux Policy for the phpfpm processes +.SH "DESCRIPTION" + -+Security-Enhanced Linux secures the ping processes via flexible mandatory access ++Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access +control. + -+.SH BOOLEANS -+SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible. -+ -+ -+.PP -+If you want to control users use of ping and tracerout, you must turn on the user_ping boolean. -+ -+.EX -+.B setsebool -P user_ping 1 -+.EE -+ +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean. + +.EX +setsebool -P kerberos_enabled 1 @@ -35223,97 +35756,62 @@ index 0000000..b791a0d +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible. +.PP -+The following file types are defined for ping: ++The following file types are defined for phpfpm: + + +.EX +.PP -+.B ping_exec_t -+.EE -+ -+- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp -+ -+.EX -+.PP -+.B pingd_etc_t ++.B phpfpm_exec_t +.EE + -+- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories. ++- Set files with the phpfpm_exec_t type, if you want to transition an executable to the phpfpm_t domain. + + +.EX +.PP -+.B pingd_exec_t ++.B phpfpm_log_t +.EE + -+- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain. ++- Set files with the phpfpm_log_t type, if you want to treat the data as phpfpm log data, usually stored under the /var/log directory. + + +.EX +.PP -+.B pingd_initrc_exec_t ++.B phpfpm_unit_file_t +.EE + -+- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain. ++- Set files with the phpfpm_unit_file_t type, if you want to treat the files as phpfpm unit content. + + +.EX +.PP -+.B pingd_modules_t ++.B phpfpm_var_run_t +.EE + -+- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules. ++- Set files with the phpfpm_var_run_t type, if you want to store the phpfpm files under the /run directory. + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. -+.PP -+The following port types are defined for ping: -+ -+.EX -+.TP 5 -+.B pingd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 9125 -+.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible. +.PP -+The following process types are defined for ping: ++The following process types are defined for phpfpm: + +.EX -+.B ping_t, pingd_t ++.B phpfpm_t +.EE +.PP +Note: @@ -35330,12 +35828,6 @@ index 0000000..b791a0d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + -+.B semanage port -+can also be used to manipulate the port definitions -+ -+.B semanage boolean -+can also be used to manipulate the booleans -+ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -35344,29 +35836,198 @@ index 0000000..b791a0d +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), ping(8), semanage(8), restorecon(8), chcon(1) -+, setsebool(8) -\ No newline at end of file -diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8 ++selinux(8), phpfpm(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8 new file mode 100644 -index 0000000..3471a77 +index 0000000..f9fabf0 --- /dev/null -+++ b/man/man8/pingd_selinux.8 -@@ -0,0 +1,152 @@ -+.TH "pingd_selinux" "8" "pingd" "dwalsh@redhat.com" "pingd SELinux Policy documentation" ++++ b/man/man8/ping_selinux.8 +@@ -0,0 +1,164 @@ ++.TH "ping_selinux" "8" "ping" "dwalsh@redhat.com" "ping SELinux Policy documentation" +.SH "NAME" -+pingd_selinux \- Security Enhanced Linux Policy for the pingd processes ++ping_selinux \- Security Enhanced Linux Policy for the ping processes +.SH "DESCRIPTION" + -+Security-Enhanced Linux secures the pingd processes via flexible mandatory access ++Security-Enhanced Linux secures the ping processes via flexible mandatory access +control. + +.SH BOOLEANS -+SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible. ++SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible. + + +.PP -+If you want to control users use of ping and tracerout, you must turn on the user_ping boolean. ++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean. ++ ++.EX ++.B setsebool -P user_ping 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++.PP ++The following file types are defined for ping: ++ ++ ++.EX ++.PP ++.B ping_exec_t ++.EE ++ ++- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp ++ ++.EX ++.PP ++.B pingd_etc_t ++.EE ++ ++- Set files with the pingd_etc_t type, if you want to store pingd files in the /etc directories. ++ ++ ++.EX ++.PP ++.B pingd_exec_t ++.EE ++ ++- Set files with the pingd_exec_t type, if you want to transition an executable to the pingd_t domain. ++ ++ ++.EX ++.PP ++.B pingd_initrc_exec_t ++.EE ++ ++- Set files with the pingd_initrc_exec_t type, if you want to transition an executable to the pingd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B pingd_modules_t ++.EE ++ ++- Set files with the pingd_modules_t type, if you want to treat the files as pingd modules. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++.PP ++The following port types are defined for ping: ++ ++.EX ++.TP 5 ++.B pingd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9125 ++.EE ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++.PP ++The following process types are defined for ping: ++ ++.EX ++.B ping_t, pingd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage port ++can also be used to manipulate the port definitions ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), ping(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8 +new file mode 100644 +index 0000000..7e85446 +--- /dev/null ++++ b/man/man8/pingd_selinux.8 +@@ -0,0 +1,152 @@ ++.TH "pingd_selinux" "8" "pingd" "dwalsh@redhat.com" "pingd SELinux Policy documentation" ++.SH "NAME" ++pingd_selinux \- Security Enhanced Linux Policy for the pingd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the pingd processes via flexible mandatory access ++control. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible. ++ ++ ++.PP ++If you want to control users use of ping and traceroute, you must turn on the user_ping boolean. + +.EX +.B setsebool -P user_ping 1 @@ -35432,7 +36093,7 @@ index 0000000..3471a77 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35508,7 +36169,7 @@ index 0000000..3471a77 \ No newline at end of file diff --git a/man/man8/piranha_selinux.8 b/man/man8/piranha_selinux.8 new file mode 100644 -index 0000000..12d4be7 +index 0000000..7ca6103 --- /dev/null +++ b/man/man8/piranha_selinux.8 @@ -0,0 +1,244 @@ @@ -35683,7 +36344,7 @@ index 0000000..12d4be7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36269,7 +36930,7 @@ index 0000000..2272c46 +selinux(8), pki(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8 new file mode 100644 -index 0000000..c24fadd +index 0000000..d65e7f3 --- /dev/null +++ b/man/man8/plymouth_selinux.8 @@ -0,0 +1,121 @@ @@ -36351,7 +37012,7 @@ index 0000000..c24fadd + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36396,7 +37057,7 @@ index 0000000..c24fadd +selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8 new file mode 100644 -index 0000000..fc2c7dc +index 0000000..2862f31 --- /dev/null +++ b/man/man8/plymouthd_selinux.8 @@ -0,0 +1,109 @@ @@ -36466,7 +37127,7 @@ index 0000000..fc2c7dc + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36511,7 +37172,7 @@ index 0000000..fc2c7dc +selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8 new file mode 100644 -index 0000000..0170aa2 +index 0000000..b0c4cf1 --- /dev/null +++ b/man/man8/podsleuth_selinux.8 @@ -0,0 +1,101 @@ @@ -36573,7 +37234,7 @@ index 0000000..0170aa2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36618,7 +37279,7 @@ index 0000000..0170aa2 +selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8 new file mode 100644 -index 0000000..780f4cb +index 0000000..3845e60 --- /dev/null +++ b/man/man8/policykit_selinux.8 @@ -0,0 +1,163 @@ @@ -36742,7 +37403,7 @@ index 0000000..780f4cb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36787,7 +37448,7 @@ index 0000000..780f4cb +selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8 new file mode 100644 -index 0000000..c189d0d +index 0000000..b456ae1 --- /dev/null +++ b/man/man8/polipo_selinux.8 @@ -0,0 +1,201 @@ @@ -36804,7 +37465,7 @@ index 0000000..c189d0d + + +.PP -+If you want to allow polipo to connect to all ports > 102, you must turn on the polipo_connect_all_unreserved boolean. ++If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean. + +.EX +.B setsebool -P polipo_connect_all_unreserved 1 @@ -36945,7 +37606,7 @@ index 0000000..c189d0d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36995,7 +37656,7 @@ index 0000000..c189d0d \ No newline at end of file diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8 new file mode 100644 -index 0000000..a4e94f2 +index 0000000..e031461 --- /dev/null +++ b/man/man8/portmap_selinux.8 @@ -0,0 +1,162 @@ @@ -37012,7 +37673,7 @@ index 0000000..a4e94f2 + + +.PP -+If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean. ++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. + +.EX +.B setsebool -P samba_portmapper 1 @@ -37086,7 +37747,7 @@ index 0000000..a4e94f2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37164,7 +37825,7 @@ index 0000000..a4e94f2 \ No newline at end of file diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8 new file mode 100644 -index 0000000..f40af74 +index 0000000..3345ff0 --- /dev/null +++ b/man/man8/portreserve_selinux.8 @@ -0,0 +1,101 @@ @@ -37226,7 +37887,7 @@ index 0000000..f40af74 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37271,7 +37932,7 @@ index 0000000..f40af74 +selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/postfix_selinux.8 b/man/man8/postfix_selinux.8 new file mode 100644 -index 0000000..afda15b +index 0000000..562d40c --- /dev/null +++ b/man/man8/postfix_selinux.8 @@ -0,0 +1,432 @@ @@ -37288,7 +37949,7 @@ index 0000000..afda15b + + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the postfix_local_write_mail_spool boolean. ++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean. + +.EX +.B setsebool -P postfix_local_write_mail_spool 1 @@ -37634,7 +38295,7 @@ index 0000000..afda15b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37710,7 +38371,7 @@ index 0000000..afda15b \ No newline at end of file diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8 new file mode 100644 -index 0000000..b21f9fe +index 0000000..ea8f221 --- /dev/null +++ b/man/man8/postgresql_selinux.8 @@ -0,0 +1,200 @@ @@ -37727,7 +38388,7 @@ index 0000000..b21f9fe + + +.PP -+If you want to allow users to connect to PostgreSQ, you must turn on the user_postgresql_connect boolean. ++If you want to allow users to connect to PostgreSQL, you must turn on the user_postgresql_connect boolean. + +.EX +.B setsebool -P user_postgresql_connect 1 @@ -37841,7 +38502,7 @@ index 0000000..b21f9fe + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37917,7 +38578,7 @@ index 0000000..b21f9fe \ No newline at end of file diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8 new file mode 100644 -index 0000000..daf4f9f +index 0000000..7655902 --- /dev/null +++ b/man/man8/postgrey_selinux.8 @@ -0,0 +1,143 @@ @@ -37995,7 +38656,7 @@ index 0000000..daf4f9f +/var/run/postgrey\.pid, /var/run/postgrey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38066,7 +38727,7 @@ index 0000000..daf4f9f +selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8 new file mode 100644 -index 0000000..552a6e4 +index 0000000..6b97eb9 --- /dev/null +++ b/man/man8/pppd_selinux.8 @@ -0,0 +1,205 @@ @@ -38083,14 +38744,14 @@ index 0000000..552a6e4 + + +.PP -+If you want to allow pppd to be run for a regular use, you must turn on the pppd_for_user boolean. ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. + +.EX +.B setsebool -P pppd_for_user 1 +.EE + +.PP -+If you want to allow pppd to load kernel modules for certain modem, you must turn on the pppd_can_insmod boolean. ++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. + +.EX +.B setsebool -P pppd_can_insmod 1 @@ -38228,7 +38889,7 @@ index 0000000..552a6e4 +/var/run/pppd[0-9]*\.tdb, /var/run/ppp(/.*)?, /var/run/(i)?ppp.*pid[^/]* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38278,7 +38939,7 @@ index 0000000..552a6e4 \ No newline at end of file diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8 new file mode 100644 -index 0000000..9dd5174 +index 0000000..e13f5c3 --- /dev/null +++ b/man/man8/pptp_selinux.8 @@ -0,0 +1,131 @@ @@ -38342,7 +39003,7 @@ index 0000000..9dd5174 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38415,7 +39076,7 @@ index 0000000..9dd5174 +selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8 new file mode 100644 -index 0000000..a921aca +index 0000000..a314c41 --- /dev/null +++ b/man/man8/prelink_selinux.8 @@ -0,0 +1,143 @@ @@ -38488,7 +39149,7 @@ index 0000000..a921aca +.br +.TP 5 +Paths: -+/var/log/prelink(/.*)?, /var/log/prelink\.log ++/var/log/prelink(/.*)?, /var/log/prelink\.log.* + +.EX +.PP @@ -38519,7 +39180,7 @@ index 0000000..a921aca +/var/lib/prelink(/.*)?, /var/lib/misc/prelink.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38564,7 +39225,7 @@ index 0000000..a921aca +selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8 new file mode 100644 -index 0000000..9196e90 +index 0000000..b6d1c35 --- /dev/null +++ b/man/man8/prelude_selinux.8 @@ -0,0 +1,223 @@ @@ -38720,7 +39381,7 @@ index 0000000..9196e90 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38793,7 +39454,7 @@ index 0000000..9196e90 +selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8 new file mode 100644 -index 0000000..b05a252 +index 0000000..b4b4c69 --- /dev/null +++ b/man/man8/privoxy_selinux.8 @@ -0,0 +1,134 @@ @@ -38884,7 +39545,7 @@ index 0000000..b05a252 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38934,7 +39595,7 @@ index 0000000..b05a252 \ No newline at end of file diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8 new file mode 100644 -index 0000000..34df592 +index 0000000..15f4183 --- /dev/null +++ b/man/man8/procmail_selinux.8 @@ -0,0 +1,115 @@ @@ -39010,7 +39671,7 @@ index 0000000..34df592 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39055,7 +39716,7 @@ index 0000000..34df592 +selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8 new file mode 100644 -index 0000000..bb17926 +index 0000000..aa9f2e2 --- /dev/null +++ b/man/man8/psad_selinux.8 @@ -0,0 +1,135 @@ @@ -39151,7 +39812,7 @@ index 0000000..bb17926 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39196,7 +39857,7 @@ index 0000000..bb17926 +selinux(8), psad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8 new file mode 100644 -index 0000000..9b67e7c +index 0000000..e1a8de5 --- /dev/null +++ b/man/man8/ptal_selinux.8 @@ -0,0 +1,123 @@ @@ -39254,7 +39915,7 @@ index 0000000..9b67e7c +/var/run/ptal-mlcd(/.*)?, /var/run/ptal-printd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39325,7 +39986,7 @@ index 0000000..9b67e7c +selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8 new file mode 100644 -index 0000000..2616592 +index 0000000..911b6fe --- /dev/null +++ b/man/man8/ptchown_selinux.8 @@ -0,0 +1,73 @@ @@ -39359,7 +40020,7 @@ index 0000000..2616592 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39404,7 +40065,7 @@ index 0000000..2616592 +selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8 new file mode 100644 -index 0000000..ac2f1cb +index 0000000..174d4ce --- /dev/null +++ b/man/man8/publicfile_selinux.8 @@ -0,0 +1,85 @@ @@ -39450,7 +40111,7 @@ index 0000000..ac2f1cb +/usr/bin/httpd, /usr/bin/ftpd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39495,7 +40156,7 @@ index 0000000..ac2f1cb +selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8 new file mode 100644 -index 0000000..20f71d7 +index 0000000..36f8ee1 --- /dev/null +++ b/man/man8/pulseaudio_selinux.8 @@ -0,0 +1,151 @@ @@ -39579,7 +40240,7 @@ index 0000000..20f71d7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39652,7 +40313,7 @@ index 0000000..20f71d7 +selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8 new file mode 100644 -index 0000000..5541ffe +index 0000000..6466e46 --- /dev/null +++ b/man/man8/puppet_selinux.8 @@ -0,0 +1,215 @@ @@ -39676,7 +40337,7 @@ index 0000000..5541ffe +.EE + +.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL databas, you must turn on the puppetmaster_use_db boolean. ++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. + +.EX +.B setsebool -P puppetmaster_use_db 1 @@ -39798,7 +40459,7 @@ index 0000000..5541ffe + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39874,7 +40535,7 @@ index 0000000..5541ffe \ No newline at end of file diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8 new file mode 100644 -index 0000000..7e4543c +index 0000000..65ebab6 --- /dev/null +++ b/man/man8/puppetca_selinux.8 @@ -0,0 +1,73 @@ @@ -39908,7 +40569,7 @@ index 0000000..7e4543c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39953,7 +40614,7 @@ index 0000000..7e4543c +selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8 new file mode 100644 -index 0000000..e707626 +index 0000000..b491444 --- /dev/null +++ b/man/man8/puppetmaster_selinux.8 @@ -0,0 +1,118 @@ @@ -39970,7 +40631,7 @@ index 0000000..e707626 + + +.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL databas, you must turn on the puppetmaster_use_db boolean. ++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. + +.EX +.B setsebool -P puppetmaster_use_db 1 @@ -40028,7 +40689,7 @@ index 0000000..e707626 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40076,9 +40737,110 @@ index 0000000..e707626 +selinux(8), puppetmaster(8), semanage(8), restorecon(8), chcon(1) +, setsebool(8) \ No newline at end of file +diff --git a/man/man8/pwauth_selinux.8 b/man/man8/pwauth_selinux.8 +new file mode 100644 +index 0000000..c1ee52c +--- /dev/null ++++ b/man/man8/pwauth_selinux.8 +@@ -0,0 +1,95 @@ ++.TH "pwauth_selinux" "8" "pwauth" "dwalsh@redhat.com" "pwauth SELinux Policy documentation" ++.SH "NAME" ++pwauth_selinux \- Security Enhanced Linux Policy for the pwauth processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the pwauth processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible. ++.PP ++The following file types are defined for pwauth: ++ ++ ++.EX ++.PP ++.B pwauth_exec_t ++.EE ++ ++- Set files with the pwauth_exec_t type, if you want to transition an executable to the pwauth_t domain. ++ ++ ++.EX ++.PP ++.B pwauth_var_run_t ++.EE ++ ++- Set files with the pwauth_var_run_t type, if you want to store the pwauth files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible. ++.PP ++The following process types are defined for pwauth: ++ ++.EX ++.B pwauth_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), pwauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8 new file mode 100644 -index 0000000..2a1614e +index 0000000..5a860b7 --- /dev/null +++ b/man/man8/pyicqt_selinux.8 @@ -0,0 +1,111 @@ @@ -40150,7 +40912,7 @@ index 0000000..2a1614e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40195,7 +40957,7 @@ index 0000000..2a1614e +selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8 new file mode 100644 -index 0000000..77f1640 +index 0000000..3e46dd9 --- /dev/null +++ b/man/man8/qdiskd_selinux.8 @@ -0,0 +1,119 @@ @@ -40275,7 +41037,7 @@ index 0000000..77f1640 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40320,7 +41082,7 @@ index 0000000..77f1640 +selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qemu_selinux.8 b/man/man8/qemu_selinux.8 new file mode 100644 -index 0000000..6dcd7cf +index 0000000..1836a66 --- /dev/null +++ b/man/man8/qemu_selinux.8 @@ -0,0 +1,147 @@ @@ -40337,28 +41099,28 @@ index 0000000..6dcd7cf + + +.PP -+If you want to allow qemu to use serial/parallel communication port, you must turn on the qemu_use_comm boolean. ++If you want to allow qemu to use serial/parallel communication ports, you must turn on the qemu_use_comm boolean. + +.EX +.B setsebool -P qemu_use_comm 1 +.EE + +.PP -+If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean. ++If you want to allow qemu to use nfs file systems, you must turn on the qemu_use_nfs boolean. + +.EX +.B setsebool -P qemu_use_nfs 1 +.EE + +.PP -+If you want to allow qemu to use usb device, you must turn on the qemu_use_usb boolean. ++If you want to allow qemu to use usb devices, you must turn on the qemu_use_usb boolean. + +.EX +.B setsebool -P qemu_use_usb 1 +.EE + +.PP -+If you want to allow qemu to connect fully to the networ, you must turn on the qemu_full_network boolean. ++If you want to allow qemu to connect fully to the network, you must turn on the qemu_full_network boolean. + +.EX +.B setsebool -P qemu_full_network 1 @@ -40372,7 +41134,7 @@ index 0000000..6dcd7cf +.EE + +.PP -+If you want to allow qemu to use cifs/Samba file system, you must turn on the qemu_use_cifs boolean. ++If you want to allow qemu to use cifs/Samba file systems, you must turn on the qemu_use_cifs boolean. + +.EX +.B setsebool -P qemu_use_cifs 1 @@ -40424,7 +41186,7 @@ index 0000000..6dcd7cf +/var/run/libvirt/qemu(/.*)?, /var/lib/libvirt/qemu(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40474,7 +41236,7 @@ index 0000000..6dcd7cf \ No newline at end of file diff --git a/man/man8/qmail_selinux.8 b/man/man8/qmail_selinux.8 new file mode 100644 -index 0000000..aeed846 +index 0000000..05df219 --- /dev/null +++ b/man/man8/qmail_selinux.8 @@ -0,0 +1,223 @@ @@ -40658,7 +41420,7 @@ index 0000000..aeed846 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40703,7 +41465,7 @@ index 0000000..aeed846 +selinux(8), qmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8 new file mode 100644 -index 0000000..3f60e17 +index 0000000..a11b85c --- /dev/null +++ b/man/man8/qpidd_selinux.8 @@ -0,0 +1,109 @@ @@ -40773,7 +41535,7 @@ index 0000000..3f60e17 +/var/run/qpidd(/.*)?, /var/run/qpidd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40818,7 +41580,7 @@ index 0000000..3f60e17 +selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8 new file mode 100644 -index 0000000..6747eb0 +index 0000000..79f1f0d --- /dev/null +++ b/man/man8/quantum_selinux.8 @@ -0,0 +1,149 @@ @@ -40902,7 +41664,7 @@ index 0000000..6747eb0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40973,7 +41735,7 @@ index 0000000..6747eb0 +selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8 new file mode 100644 -index 0000000..35c287b +index 0000000..f36de79 --- /dev/null +++ b/man/man8/quota_selinux.8 @@ -0,0 +1,127 @@ @@ -41022,7 +41784,7 @@ index 0000000..35c287b +.br +.TP 5 +Paths: -+/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) ++/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) + +.EX +.PP @@ -41061,7 +41823,7 @@ index 0000000..35c287b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41106,7 +41868,7 @@ index 0000000..35c287b +selinux(8), quota(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rabbitmq_selinux.8 b/man/man8/rabbitmq_selinux.8 new file mode 100644 -index 0000000..0a0b7e4 +index 0000000..48bea51 --- /dev/null +++ b/man/man8/rabbitmq_selinux.8 @@ -0,0 +1,97 @@ @@ -41164,7 +41926,7 @@ index 0000000..0a0b7e4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41209,7 +41971,7 @@ index 0000000..0a0b7e4 +selinux(8), rabbitmq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8 new file mode 100644 -index 0000000..ab4b7e2 +index 0000000..5b2cad0 --- /dev/null +++ b/man/man8/racoon_selinux.8 @@ -0,0 +1,110 @@ @@ -41226,7 +41988,7 @@ index 0000000..ab4b7e2 + + +.PP -+If you want to allow racoon to read shado, you must turn on the racoon_read_shadow boolean. ++If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean. + +.EX +.B setsebool -P racoon_read_shadow 1 @@ -41276,7 +42038,7 @@ index 0000000..ab4b7e2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41326,7 +42088,7 @@ index 0000000..ab4b7e2 \ No newline at end of file diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8 new file mode 100644 -index 0000000..aa861ce +index 0000000..5e2ca22 --- /dev/null +++ b/man/man8/radiusd_selinux.8 @@ -0,0 +1,188 @@ @@ -41343,7 +42105,7 @@ index 0000000..aa861ce + + +.PP -+If you want to allow users to login using a radius serve, you must turn on the authlogin_radius boolean. ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. + +.EX +.B setsebool -P authlogin_radius 1 @@ -41445,7 +42207,7 @@ index 0000000..aa861ce +/var/run/radiusd\.pid, /var/run/radiusd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41521,7 +42283,7 @@ index 0000000..aa861ce \ No newline at end of file diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8 new file mode 100644 -index 0000000..257f975 +index 0000000..51248cc --- /dev/null +++ b/man/man8/radvd_selinux.8 @@ -0,0 +1,115 @@ @@ -41597,7 +42359,7 @@ index 0000000..257f975 +/var/run/radvd(/.*)?, /var/run/radvd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41642,7 +42404,7 @@ index 0000000..257f975 +selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8 new file mode 100644 -index 0000000..a06b607 +index 0000000..91fd7f7 --- /dev/null +++ b/man/man8/rdisc_selinux.8 @@ -0,0 +1,77 @@ @@ -41680,7 +42442,7 @@ index 0000000..a06b607 +/sbin/rdisc, /usr/sbin/rdisc + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41725,7 +42487,7 @@ index 0000000..a06b607 +selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8 new file mode 100644 -index 0000000..ef18581 +index 0000000..8f2fb7a --- /dev/null +++ b/man/man8/readahead_selinux.8 @@ -0,0 +1,97 @@ @@ -41783,7 +42545,7 @@ index 0000000..ef18581 +/var/run/systemd/readahead(/.*)?, /dev/\.systemd/readahead(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41826,65 +42588,43 @@ index 0000000..ef18581 + +.SH "SEE ALSO" +selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/regex_selinux.8 b/man/man8/regex_selinux.8 +diff --git a/man/man8/realmd_selinux.8 b/man/man8/realmd_selinux.8 new file mode 100644 -index 0000000..e36af1f +index 0000000..9bd9549 --- /dev/null -+++ b/man/man8/regex_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "regex_selinux" "8" "regex" "dwalsh@redhat.com" "regex SELinux Policy documentation" ++++ b/man/man8/realmd_selinux.8 +@@ -0,0 +1,73 @@ ++.TH "realmd_selinux" "8" "realmd" "dwalsh@redhat.com" "realmd SELinux Policy documentation" +.SH "NAME" -+regex_selinux \- Security Enhanced Linux Policy for the regex processes ++realmd_selinux \- Security Enhanced Linux Policy for the realmd processes +.SH "DESCRIPTION" + -+Security-Enhanced Linux secures the regex processes via flexible mandatory access ++Security-Enhanced Linux secures the realmd processes via flexible mandatory access +control. + +.SH NSSWITCH DOMAIN + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+setsebool -P kerberos_enabled 1 -+.EE -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible. ++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible. +.PP -+The following file types are defined for regex: ++The following file types are defined for realmd: + + +.EX +.PP -+.B regex_milter_data_t ++.B realmd_exec_t +.EE + -+- Set files with the regex_milter_data_t type, if you want to treat the files as regex milter content. ++- Set files with the realmd_exec_t type, if you want to transition an executable to the realmd_t domain. + + -+.EX +.PP -+.B regex_milter_exec_t -+.EE -+ -+- Set files with the regex_milter_exec_t type, if you want to transition an executable to the regex_milter_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41896,12 +42636,113 @@ index 0000000..e36af1f +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible. ++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible. +.PP -+The following process types are defined for regex: ++The following process types are defined for realmd: + +.EX -+.B regex_milter_t ++.B realmd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), realmd(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/regex_selinux.8 b/man/man8/regex_selinux.8 +new file mode 100644 +index 0000000..0431f98 +--- /dev/null ++++ b/man/man8/regex_selinux.8 +@@ -0,0 +1,95 @@ ++.TH "regex_selinux" "8" "regex" "dwalsh@redhat.com" "regex SELinux Policy documentation" ++.SH "NAME" ++regex_selinux \- Security Enhanced Linux Policy for the regex processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the regex processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible. ++.PP ++The following file types are defined for regex: ++ ++ ++.EX ++.PP ++.B regex_milter_data_t ++.EE ++ ++- Set files with the regex_milter_data_t type, if you want to treat the files as regex milter content. ++ ++ ++.EX ++.PP ++.B regex_milter_exec_t ++.EE ++ ++- Set files with the regex_milter_exec_t type, if you want to transition an executable to the regex_milter_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux regex policy is very flexible allowing users to setup their regex processes in as secure a method as possible. ++.PP ++The following process types are defined for regex: ++ ++.EX ++.B regex_milter_t +.EE +.PP +Note: @@ -41929,7 +42770,7 @@ index 0000000..e36af1f +selinux(8), regex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8 new file mode 100644 -index 0000000..6d75fcb +index 0000000..c1d4bcc --- /dev/null +++ b/man/man8/restorecond_selinux.8 @@ -0,0 +1,95 @@ @@ -41985,7 +42826,7 @@ index 0000000..6d75fcb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42030,7 +42871,7 @@ index 0000000..6d75fcb +selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8 new file mode 100644 -index 0000000..2b3980d +index 0000000..3abdac8 --- /dev/null +++ b/man/man8/rgmanager_selinux.8 @@ -0,0 +1,146 @@ @@ -42133,7 +42974,7 @@ index 0000000..2b3980d +/var/run/rgmanager\.pid, /var/run/cluster/rgmanager\.sk + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42183,7 +43024,7 @@ index 0000000..2b3980d \ No newline at end of file diff --git a/man/man8/rhev_selinux.8 b/man/man8/rhev_selinux.8 new file mode 100644 -index 0000000..b09665c +index 0000000..9d50cd5 --- /dev/null +++ b/man/man8/rhev_selinux.8 @@ -0,0 +1,123 @@ @@ -42267,7 +43108,7 @@ index 0000000..b09665c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42312,7 +43153,7 @@ index 0000000..b09665c +selinux(8), rhev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8 new file mode 100644 -index 0000000..b9ec7f2 +index 0000000..033248f --- /dev/null +++ b/man/man8/rhgb_selinux.8 @@ -0,0 +1,81 @@ @@ -42354,7 +43195,7 @@ index 0000000..b9ec7f2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42399,7 +43240,7 @@ index 0000000..b9ec7f2 +selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8 new file mode 100644 -index 0000000..053f6cf +index 0000000..a147aab --- /dev/null +++ b/man/man8/rhsmcertd_selinux.8 @@ -0,0 +1,113 @@ @@ -42473,7 +43314,7 @@ index 0000000..053f6cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42518,7 +43359,7 @@ index 0000000..053f6cf +selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8 new file mode 100644 -index 0000000..096c0d9 +index 0000000..f2556e7 --- /dev/null +++ b/man/man8/ricci_selinux.8 @@ -0,0 +1,260 @@ @@ -42698,7 +43539,7 @@ index 0000000..096c0d9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42784,7 +43625,7 @@ index 0000000..096c0d9 +selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8 new file mode 100644 -index 0000000..77f13d4 +index 0000000..d24aec9 --- /dev/null +++ b/man/man8/rlogind_selinux.8 @@ -0,0 +1,153 @@ @@ -42872,7 +43713,7 @@ index 0000000..77f13d4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42943,7 +43784,7 @@ index 0000000..77f13d4 +selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8 new file mode 100644 -index 0000000..d5119ed +index 0000000..34ca865 --- /dev/null +++ b/man/man8/roundup_selinux.8 @@ -0,0 +1,97 @@ @@ -43001,7 +43842,7 @@ index 0000000..d5119ed + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43046,7 +43887,7 @@ index 0000000..d5119ed +selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8 new file mode 100644 -index 0000000..5089077 +index 0000000..070558a --- /dev/null +++ b/man/man8/rpcbind_selinux.8 @@ -0,0 +1,109 @@ @@ -43116,7 +43957,7 @@ index 0000000..5089077 +/var/run/rpcbind\.sock, /var/run/rpcbind\.lock, /var/run/rpc.statd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43161,7 +44002,7 @@ index 0000000..5089077 +selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8 new file mode 100644 -index 0000000..4a1bc16 +index 0000000..eee7969 --- /dev/null +++ b/man/man8/rpcd_selinux.8 @@ -0,0 +1,123 @@ @@ -43210,7 +44051,7 @@ index 0000000..4a1bc16 +.br +.TP 5 +Paths: -+/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.rquotad, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /sbin/rpc\..* ++/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /usr/sbin/rpc\.rquotad, /sbin/rpc\..* + +.EX +.PP @@ -43245,7 +44086,7 @@ index 0000000..4a1bc16 +/var/run/rpc\.statd(/.*)?, /var/run/rpc\.statd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43290,7 +44131,7 @@ index 0000000..4a1bc16 +selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8 new file mode 100644 -index 0000000..a569a6d +index 0000000..c1b5773 --- /dev/null +++ b/man/man8/rpm_selinux.8 @@ -0,0 +1,183 @@ @@ -43339,7 +44180,7 @@ index 0000000..a569a6d +.br +.TP 5 +Paths: -+/usr/sbin/yum-updatesd, /usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date ++/usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/bin/fedora-rmdevelrpms, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date + +.EX +.PP @@ -43434,7 +44275,7 @@ index 0000000..a569a6d +/var/run/PackageKit(/.*)?, /var/run/yum.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43479,7 +44320,7 @@ index 0000000..a569a6d +selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8 new file mode 100644 -index 0000000..63603e6 +index 0000000..2686e88 --- /dev/null +++ b/man/man8/rshd_selinux.8 @@ -0,0 +1,125 @@ @@ -43539,7 +44380,7 @@ index 0000000..63603e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43610,7 +44451,7 @@ index 0000000..63603e6 +selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8 new file mode 100644 -index 0000000..98ec63b +index 0000000..9988547 --- /dev/null +++ b/man/man8/rssh_selinux.8 @@ -0,0 +1,111 @@ @@ -43682,7 +44523,7 @@ index 0000000..98ec63b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43726,7 +44567,7 @@ index 0000000..98ec63b +.SH "SEE ALSO" +selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 -index ad9ccf5..0e20ab4 100644 +index ad9ccf5..805c4ab 100644 --- a/man/man8/rsync_selinux.8 +++ b/man/man8/rsync_selinux.8 @@ -1,52 +1,217 @@ @@ -43764,7 +44605,7 @@ index ad9ccf5..0e20ab4 100644 + + +.PP -+If you want to allow rsync to run as a clien, you must turn on the rsync_client boolean. ++If you want to allow rsync to run as a client, you must turn on the rsync_client boolean. + +.EX +.B setsebool -P rsync_client 1 @@ -43778,14 +44619,14 @@ index ad9ccf5..0e20ab4 100644 +.EE + +.PP -+If you want to allow rsync servers to share nfs files system, you must turn on the rsync_use_nfs boolean. ++If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. + +.EX +.B setsebool -P rsync_use_nfs 1 +.EE + +.PP -+If you want to allow rsync servers to share cifs files system, you must turn on the rsync_use_cifs boolean. ++If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean. + +.EX +.B setsebool -P rsync_use_cifs 1 @@ -43906,7 +44747,7 @@ index ad9ccf5..0e20ab4 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43986,7 +44827,7 @@ index ad9ccf5..0e20ab4 100644 \ No newline at end of file diff --git a/man/man8/rtkit_selinux.8 b/man/man8/rtkit_selinux.8 new file mode 100644 -index 0000000..a6af45c +index 0000000..6388e55 --- /dev/null +++ b/man/man8/rtkit_selinux.8 @@ -0,0 +1,87 @@ @@ -44034,7 +44875,7 @@ index 0000000..a6af45c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44079,7 +44920,7 @@ index 0000000..a6af45c +selinux(8), rtkit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/run_selinux.8 b/man/man8/run_selinux.8 new file mode 100644 -index 0000000..3640723 +index 0000000..da9ce6c --- /dev/null +++ b/man/man8/run_selinux.8 @@ -0,0 +1,123 @@ @@ -44096,7 +44937,7 @@ index 0000000..3640723 + + +.PP -+If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. + +.EX +.B setsebool -P httpd_run_stickshift 1 @@ -44117,7 +44958,7 @@ index 0000000..3640723 +.EE + +.PP -+If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean. ++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. + +.EX +.B setsebool -P samba_run_unconfined 1 @@ -44159,7 +45000,7 @@ index 0000000..3640723 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44209,7 +45050,7 @@ index 0000000..3640723 \ No newline at end of file diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8 new file mode 100644 -index 0000000..0dade68 +index 0000000..8acacbd --- /dev/null +++ b/man/man8/rwho_selinux.8 @@ -0,0 +1,123 @@ @@ -44267,7 +45108,7 @@ index 0000000..0dade68 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44337,7 +45178,7 @@ index 0000000..0dade68 +.SH "SEE ALSO" +selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 -index ca702c7..716f04c 100644 +index ca702c7..2a88102 100644 --- a/man/man8/samba_selinux.8 +++ b/man/man8/samba_selinux.8 @@ -1,56 +1,275 @@ @@ -44402,14 +45243,14 @@ index ca702c7..716f04c 100644 +.EE + +.PP -+If you want to support SAMBA home directorie, you must turn on the use_samba_home_dirs boolean. ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. + +.EX +.B setsebool -P use_samba_home_dirs 1 +.EE + +.PP -+If you want to allow samba to create new home directories (e.g. via PAM, you must turn on the samba_create_home_dirs boolean. ++If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean. + +.EX +.B setsebool -P samba_create_home_dirs 1 @@ -44423,7 +45264,7 @@ index ca702c7..716f04c 100644 +.EE + +.PP -+If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean. ++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. + +.EX +.B setsebool -P samba_portmapper 1 @@ -44444,14 +45285,14 @@ index ca702c7..716f04c 100644 +.EE + +.PP -+If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean. ++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. + +.EX +.B setsebool -P samba_run_unconfined 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean. ++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. + +.EX +.B setsebool -P sanlock_use_samba 1 @@ -44465,7 +45306,7 @@ index ca702c7..716f04c 100644 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. + +.EX +.B setsebool -P virt_use_samba 1 @@ -44603,7 +45444,7 @@ index ca702c7..716f04c 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44620,7 +45461,7 @@ index ca702c7..716f04c 100644 +The following process types are defined for samba: + +.EX -+.B samba_net_t, samba_unconfined_net_t, samba_unconfined_script_t, sambagui_t ++.B samba_net_t, samba_unconfined_script_t, sambagui_t +.EE +.PP +Note: @@ -44662,7 +45503,7 @@ index ca702c7..716f04c 100644 \ No newline at end of file diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8 new file mode 100644 -index 0000000..8c06b88 +index 0000000..0016c04 --- /dev/null +++ b/man/man8/sambagui_selinux.8 @@ -0,0 +1,87 @@ @@ -44710,7 +45551,7 @@ index 0000000..8c06b88 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44755,10 +45596,10 @@ index 0000000..8c06b88 +selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8 new file mode 100644 -index 0000000..312758e +index 0000000..76f0d9f --- /dev/null +++ b/man/man8/sandbox_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,166 @@ +.TH "sandbox_selinux" "8" "sandbox" "dwalsh@redhat.com" "sandbox SELinux Policy documentation" +.SH "NAME" +sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes @@ -44772,7 +45613,7 @@ index 0000000..312758e + + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. + +.EX +.B setsebool -P unconfined_chrome_sandbox_transition 1 @@ -44847,6 +45688,14 @@ index 0000000..312758e + +.EX +.PP ++.B sandbox_staff_file_t ++.EE ++ ++- Set files with the sandbox_staff_file_t type, if you want to treat the files as sandbox staff content. ++ ++ ++.EX ++.PP +.B sandbox_web_client_tmpfs_t +.EE + @@ -44870,7 +45719,7 @@ index 0000000..312758e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44887,7 +45736,7 @@ index 0000000..312758e +The following process types are defined for sandbox: + +.EX -+.B sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t ++.B sandbox_x_client_t, sandbox_net_client_t, sandbox_xserver_t, sandbox_x_t, sandbox_staff_t, sandbox_web_client_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, sandbox_min_client_t, sandbox_t +.EE +.PP +Note: @@ -44920,7 +45769,7 @@ index 0000000..312758e \ No newline at end of file diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8 new file mode 100644 -index 0000000..f759126 +index 0000000..7b9ea7a --- /dev/null +++ b/man/man8/sanlock_selinux.8 @@ -0,0 +1,140 @@ @@ -44937,21 +45786,21 @@ index 0000000..f759126 + + +.PP -+If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. ++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. + +.EX +.B setsebool -P virt_use_sanlock 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean. ++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. + +.EX +.B setsebool -P sanlock_use_nfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean. ++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. + +.EX +.B setsebool -P sanlock_use_samba 1 @@ -45017,7 +45866,7 @@ index 0000000..f759126 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45067,7 +45916,7 @@ index 0000000..f759126 \ No newline at end of file diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8 new file mode 100644 -index 0000000..e19a072 +index 0000000..d96e37e --- /dev/null +++ b/man/man8/saslauthd_selinux.8 @@ -0,0 +1,130 @@ @@ -45084,7 +45933,7 @@ index 0000000..e19a072 + + +.PP -+If you want to allow sasl to read shado, you must turn on the saslauthd_read_shadow boolean. ++If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean. + +.EX +.B setsebool -P saslauthd_read_shadow 1 @@ -45154,7 +46003,7 @@ index 0000000..e19a072 +/var/run/saslauthd(/.*)?, /var/lib/sasl2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45204,7 +46053,7 @@ index 0000000..e19a072 \ No newline at end of file diff --git a/man/man8/sblim_selinux.8 b/man/man8/sblim_selinux.8 new file mode 100644 -index 0000000..bae951c +index 0000000..4e9252e --- /dev/null +++ b/man/man8/sblim_selinux.8 @@ -0,0 +1,89 @@ @@ -45254,7 +46103,7 @@ index 0000000..bae951c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45370,7 +46219,7 @@ index 0000000..6bf3e2b +selinux(8), semanage(8). diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8 new file mode 100644 -index 0000000..41be52c +index 0000000..584af3d --- /dev/null +++ b/man/man8/sectoolm_selinux.8 @@ -0,0 +1,87 @@ @@ -45418,7 +46267,7 @@ index 0000000..41be52c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45463,7 +46312,7 @@ index 0000000..41be52c +selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/selinux_selinux.8 b/man/man8/selinux_selinux.8 new file mode 100644 -index 0000000..45c7217 +index 0000000..13e68bf --- /dev/null +++ b/man/man8/selinux_selinux.8 @@ -0,0 +1,130 @@ @@ -45480,21 +46329,21 @@ index 0000000..45c7217 + + +.PP -+If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzill, you must turn on the selinuxuser_execheap boolean. ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. + +.EX +.B setsebool -P selinuxuser_execheap 1 +.EE + +.PP -+If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_, you must turn on the selinuxuser_execmod boolean. ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. + +.EX +.B setsebool -P selinuxuser_execmod 1 +.EE + +.PP -+If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzill, you must turn on the selinuxuser_execstack boolean. ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. + +.EX +.B setsebool -P selinuxuser_execstack 1 @@ -45550,7 +46399,7 @@ index 0000000..45c7217 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45600,10 +46449,10 @@ index 0000000..45c7217 \ No newline at end of file diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8 new file mode 100644 -index 0000000..4ed4357 +index 0000000..bb8dd56 --- /dev/null +++ b/man/man8/semanage_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,135 @@ +.TH "semanage_selinux" "8" "semanage" "dwalsh@redhat.com" "semanage SELinux Policy documentation" +.SH "NAME" +semanage_selinux \- Security Enhanced Linux Policy for the semanage processes @@ -45614,6 +46463,20 @@ index 0000000..4ed4357 + +.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -45635,7 +46498,7 @@ index 0000000..4ed4357 +.br +.TP 5 +Paths: -+/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py ++/usr/share/system-config-selinux/system-config-selinux-dbus\.py, /usr/sbin/semanage, /usr/sbin/semodule + +.EX +.PP @@ -45682,7 +46545,7 @@ index 0000000..4ed4357 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45727,7 +46590,7 @@ index 0000000..4ed4357 +selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8 new file mode 100644 -index 0000000..1709275 +index 0000000..85c765e --- /dev/null +++ b/man/man8/sendmail_selinux.8 @@ -0,0 +1,168 @@ @@ -45744,21 +46607,21 @@ index 0000000..1709275 + + +.PP -+If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean. ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. + +.EX +.B setsebool -P httpd_can_sendmail 1 +.EE + +.PP -+If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. + +.EX +.B setsebool -P logging_syslogd_can_sendmail 1 +.EE + +.PP -+If you want to allow gitisis daemon to send mai, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. + +.EX +.B setsebool -P gitosis_can_sendmail 1 @@ -45852,7 +46715,7 @@ index 0000000..1709275 +/var/run/sendmail\.pid, /var/run/sm-client\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45902,7 +46765,7 @@ index 0000000..1709275 \ No newline at end of file diff --git a/man/man8/services_selinux.8 b/man/man8/services_selinux.8 new file mode 100644 -index 0000000..1004c86 +index 0000000..ac4a98f --- /dev/null +++ b/man/man8/services_selinux.8 @@ -0,0 +1,85 @@ @@ -45948,7 +46811,7 @@ index 0000000..1004c86 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45993,7 +46856,7 @@ index 0000000..1004c86 +selinux(8), services(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8 new file mode 100644 -index 0000000..00771fb +index 0000000..5229951 --- /dev/null +++ b/man/man8/setfiles_selinux.8 @@ -0,0 +1,77 @@ @@ -46031,7 +46894,7 @@ index 0000000..00771fb +/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/setfiles.*, /usr/sbin/restorecon + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46076,7 +46939,7 @@ index 0000000..00771fb +selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8 new file mode 100644 -index 0000000..3508525 +index 0000000..156aefb --- /dev/null +++ b/man/man8/setkey_selinux.8 @@ -0,0 +1,77 @@ @@ -46114,7 +46977,7 @@ index 0000000..3508525 +/usr/sbin/setkey, /sbin/setkey + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46159,7 +47022,7 @@ index 0000000..3508525 +selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8 new file mode 100644 -index 0000000..1851634 +index 0000000..53a7586 --- /dev/null +++ b/man/man8/setrans_selinux.8 @@ -0,0 +1,97 @@ @@ -46217,7 +47080,7 @@ index 0000000..1851634 +/var/run/mcstransd\.pid, /var/run/setrans(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46262,7 +47125,7 @@ index 0000000..1851634 +selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshoot_selinux.8 b/man/man8/setroubleshoot_selinux.8 new file mode 100644 -index 0000000..3e3593f +index 0000000..8f116c9 --- /dev/null +++ b/man/man8/setroubleshoot_selinux.8 @@ -0,0 +1,119 @@ @@ -46342,7 +47205,7 @@ index 0000000..3e3593f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46387,7 +47250,7 @@ index 0000000..3e3593f +selinux(8), setroubleshoot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8 new file mode 100644 -index 0000000..838a09a +index 0000000..3804fc4 --- /dev/null +++ b/man/man8/setroubleshootd_selinux.8 @@ -0,0 +1,87 @@ @@ -46435,7 +47298,7 @@ index 0000000..838a09a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46480,7 +47343,7 @@ index 0000000..838a09a +selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8 new file mode 100644 -index 0000000..a3d4b57 +index 0000000..7e5c3d1 --- /dev/null +++ b/man/man8/setsebool_selinux.8 @@ -0,0 +1,87 @@ @@ -46528,7 +47391,7 @@ index 0000000..a3d4b57 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46573,7 +47436,7 @@ index 0000000..a3d4b57 +selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sge_selinux.8 b/man/man8/sge_selinux.8 new file mode 100644 -index 0000000..c74c0a7 +index 0000000..4259e52 --- /dev/null +++ b/man/man8/sge_selinux.8 @@ -0,0 +1,141 @@ @@ -46590,7 +47453,7 @@ index 0000000..c74c0a7 + + +.PP -+If you want to allow sge to connect to the network using any TCP por, you must turn on the sge_domain_can_network_connect boolean. ++If you want to allow sge to connect to the network using any TCP port, you must turn on the sge_domain_can_network_connect boolean. + +.EX +.B setsebool -P sge_domain_can_network_connect 1 @@ -46671,7 +47534,7 @@ index 0000000..c74c0a7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46721,7 +47584,7 @@ index 0000000..c74c0a7 \ No newline at end of file diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8 new file mode 100644 -index 0000000..0741c14 +index 0000000..734941b --- /dev/null +++ b/man/man8/shorewall_selinux.8 @@ -0,0 +1,151 @@ @@ -46782,7 +47645,7 @@ index 0000000..0741c14 +.br +.TP 5 +Paths: -+/sbin/shorewall6?, /usr/sbin/shorewall-lite, /sbin/shorewall-lite, /usr/sbin/shorewall6? ++/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite, /usr/sbin/shorewall6? + +.EX +.PP @@ -46833,7 +47696,7 @@ index 0000000..0741c14 +/var/lib/shorewall-lite(/.*)?, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46878,7 +47741,7 @@ index 0000000..0741c14 +selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8 new file mode 100644 -index 0000000..4dabeda +index 0000000..b7b79e9 --- /dev/null +++ b/man/man8/showmount_selinux.8 @@ -0,0 +1,73 @@ @@ -46912,7 +47775,7 @@ index 0000000..4dabeda + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46957,7 +47820,7 @@ index 0000000..4dabeda +selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8 new file mode 100644 -index 0000000..496324f +index 0000000..36a3b8d --- /dev/null +++ b/man/man8/shutdown_selinux.8 @@ -0,0 +1,122 @@ @@ -46974,7 +47837,7 @@ index 0000000..496324f + + +.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. ++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. + +.EX +.B setsebool -P httpd_graceful_shutdown 1 @@ -47036,7 +47899,7 @@ index 0000000..496324f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47086,7 +47949,7 @@ index 0000000..496324f \ No newline at end of file diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8 new file mode 100644 -index 0000000..382766a +index 0000000..12c5b4c --- /dev/null +++ b/man/man8/slapd_selinux.8 @@ -0,0 +1,191 @@ @@ -47143,7 +48006,7 @@ index 0000000..382766a +.br +.TP 5 +Paths: -+/var/lib/ldap(/.*)?, /etc/openldap/slapd\.d(/.*)? ++/etc/openldap/slapd\.d(/.*)?, /var/lib/ldap(/.*)? + +.EX +.PP @@ -47238,7 +48101,7 @@ index 0000000..382766a +/var/run/slapd\.args, /var/run/openldap(/.*)?, /var/run/slapd\.pid, /var/run/ldapi, /var/run/slapd.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47283,7 +48146,7 @@ index 0000000..382766a +selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8 new file mode 100644 -index 0000000..8f94f43 +index 0000000..7f6ce1e --- /dev/null +++ b/man/man8/smbcontrol_selinux.8 @@ -0,0 +1,73 @@ @@ -47317,7 +48180,7 @@ index 0000000..8f94f43 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47362,7 +48225,7 @@ index 0000000..8f94f43 +selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8 new file mode 100644 -index 0000000..a03df1b +index 0000000..3dfbd74 --- /dev/null +++ b/man/man8/smbd_selinux.8 @@ -0,0 +1,167 @@ @@ -47464,7 +48327,7 @@ index 0000000..a03df1b +/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47535,7 +48398,7 @@ index 0000000..a03df1b +selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8 new file mode 100644 -index 0000000..8865bd0 +index 0000000..360ca80 --- /dev/null +++ b/man/man8/smbmount_selinux.8 @@ -0,0 +1,91 @@ @@ -47587,7 +48450,7 @@ index 0000000..8865bd0 +/usr/bin/smbmnt, /usr/bin/smbmount + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47632,7 +48495,7 @@ index 0000000..8865bd0 +selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8 new file mode 100644 -index 0000000..8269f01 +index 0000000..9b6c4f2 --- /dev/null +++ b/man/man8/smokeping_selinux.8 @@ -0,0 +1,111 @@ @@ -47704,7 +48567,7 @@ index 0000000..8269f01 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47749,7 +48612,7 @@ index 0000000..8269f01 +selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8 new file mode 100644 -index 0000000..3a4bff5 +index 0000000..a665ee3 --- /dev/null +++ b/man/man8/smoltclient_selinux.8 @@ -0,0 +1,95 @@ @@ -47805,7 +48668,7 @@ index 0000000..3a4bff5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47850,7 +48713,7 @@ index 0000000..3a4bff5 +selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8 new file mode 100644 -index 0000000..f51efbd +index 0000000..f87f0d4 --- /dev/null +++ b/man/man8/snmpd_selinux.8 @@ -0,0 +1,159 @@ @@ -47942,7 +48805,7 @@ index 0000000..f51efbd +/var/run/net-snmpd(/.*)?, /var/run/snmpd\.pid, /var/run/snmpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48015,7 +48878,7 @@ index 0000000..f51efbd +selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8 new file mode 100644 -index 0000000..cccbbc7 +index 0000000..e679e9c --- /dev/null +++ b/man/man8/snort_selinux.8 @@ -0,0 +1,117 @@ @@ -48093,7 +48956,7 @@ index 0000000..cccbbc7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48138,7 +49001,7 @@ index 0000000..cccbbc7 +selinux(8), snort(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8 new file mode 100644 -index 0000000..529935f +index 0000000..083ed50 --- /dev/null +++ b/man/man8/sosreport_selinux.8 @@ -0,0 +1,103 @@ @@ -48202,7 +49065,7 @@ index 0000000..529935f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48247,7 +49110,7 @@ index 0000000..529935f +selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8 new file mode 100644 -index 0000000..cdb926f +index 0000000..99e1c36 --- /dev/null +++ b/man/man8/soundd_selinux.8 @@ -0,0 +1,159 @@ @@ -48341,7 +49204,7 @@ index 0000000..cdb926f +/var/run/nasd(/.*)?, /var/run/yiff-[0-9]+\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48412,7 +49275,7 @@ index 0000000..cdb926f +selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamass_selinux.8 b/man/man8/spamass_selinux.8 new file mode 100644 -index 0000000..f2b9e39 +index 0000000..824297f --- /dev/null +++ b/man/man8/spamass_selinux.8 @@ -0,0 +1,108 @@ @@ -48477,7 +49340,7 @@ index 0000000..f2b9e39 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48527,7 +49390,7 @@ index 0000000..f2b9e39 \ No newline at end of file diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8 new file mode 100644 -index 0000000..f03830d +index 0000000..36e84ee --- /dev/null +++ b/man/man8/spamc_selinux.8 @@ -0,0 +1,111 @@ @@ -48599,7 +49462,7 @@ index 0000000..f03830d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48644,7 +49507,7 @@ index 0000000..f03830d +selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8 new file mode 100644 -index 0000000..ede8ae7 +index 0000000..301c200 --- /dev/null +++ b/man/man8/spamd_selinux.8 @@ -0,0 +1,242 @@ @@ -48675,7 +49538,7 @@ index 0000000..ede8ae7 +.EE + +.PP -+If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean. ++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. + +.EX +.B setsebool -P httpd_can_check_spam 1 @@ -48762,7 +49625,7 @@ index 0000000..ede8ae7 +.br +.TP 5 +Paths: -+/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang, /var/log/pyzord\.log ++/var/log/razor-agent\.log.*, /var/log/mimedefang, /var/log/pyzord\.log.*, /var/log/spamd\.log.* + +.EX +.PP @@ -48817,7 +49680,7 @@ index 0000000..ede8ae7 +/var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?, /var/spool/MD-Quarantine(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48893,7 +49756,7 @@ index 0000000..ede8ae7 \ No newline at end of file diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8 new file mode 100644 -index 0000000..51ec8b0 +index 0000000..39622ca --- /dev/null +++ b/man/man8/squid_selinux.8 @@ -0,0 +1,205 @@ @@ -48910,7 +49773,7 @@ index 0000000..51ec8b0 + + +.PP -+If you want to allow squid to run as a transparent proxy (TPROXY, you must turn on the squid_use_tproxy boolean. ++If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean. + +.EX +.B setsebool -P squid_use_tproxy 1 @@ -49027,7 +49890,7 @@ index 0000000..51ec8b0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49105,7 +49968,7 @@ index 0000000..51ec8b0 \ No newline at end of file diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8 new file mode 100644 -index 0000000..c7b7658 +index 0000000..c867ab4 --- /dev/null +++ b/man/man8/srvsvcd_selinux.8 @@ -0,0 +1,97 @@ @@ -49163,7 +50026,7 @@ index 0000000..c7b7658 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49208,7 +50071,7 @@ index 0000000..c7b7658 +selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8 new file mode 100644 -index 0000000..c83c4fe +index 0000000..9fc8832 --- /dev/null +++ b/man/man8/ssh_selinux.8 @@ -0,0 +1,264 @@ @@ -49225,7 +50088,7 @@ index 0000000..c83c4fe + + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directorie, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. + +.EX +.B setsebool -P ssh_chroot_rw_homedirs 1 @@ -49239,14 +50102,14 @@ index 0000000..c83c4fe +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean. ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. + +.EX +.B setsebool -P ssh_sysadm_login 1 +.EE + +.PP -+If you want to allow host key based authenticatio, you must turn on the ssh_keysign boolean. ++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. + +.EX +.B setsebool -P ssh_keysign 1 @@ -49320,7 +50183,7 @@ index 0000000..c83c4fe +.br +.TP 5 +Paths: -+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /var/lib/gitolite3/\.ssh(/.*)?, /root/\.ssh(/.*)? ++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /var/lib/gitolite3/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)? + +.EX +.PP @@ -49403,7 +50266,7 @@ index 0000000..c83c4fe +/var/run/sshd\.pid, /var/run/sshd\.init\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49479,7 +50342,7 @@ index 0000000..c83c4fe \ No newline at end of file diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8 new file mode 100644 -index 0000000..95b44d6 +index 0000000..1b057a8 --- /dev/null +++ b/man/man8/sshd_selinux.8 @@ -0,0 +1,204 @@ @@ -49496,7 +50359,7 @@ index 0000000..95b44d6 + + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directorie, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. + +.EX +.B setsebool -P ssh_chroot_rw_homedirs 1 @@ -49510,14 +50373,14 @@ index 0000000..95b44d6 +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean. ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. + +.EX +.B setsebool -P ssh_sysadm_login 1 +.EE + +.PP -+If you want to allow host key based authenticatio, you must turn on the ssh_keysign boolean. ++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. + +.EX +.B setsebool -P ssh_keysign 1 @@ -49614,7 +50477,7 @@ index 0000000..95b44d6 +/var/run/sshd\.pid, /var/run/sshd\.init\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49690,7 +50553,7 @@ index 0000000..95b44d6 \ No newline at end of file diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8 new file mode 100644 -index 0000000..2c75b4d +index 0000000..485226e --- /dev/null +++ b/man/man8/sssd_selinux.8 @@ -0,0 +1,139 @@ @@ -49790,7 +50653,7 @@ index 0000000..2c75b4d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50083,9 +50946,126 @@ index 0000000..039dc00 + +.SH "SEE ALSO" +selinux(8), semanage(8). +diff --git a/man/man8/stapserver_selinux.8 b/man/man8/stapserver_selinux.8 +new file mode 100644 +index 0000000..385ff9b +--- /dev/null ++++ b/man/man8/stapserver_selinux.8 +@@ -0,0 +1,111 @@ ++.TH "stapserver_selinux" "8" "stapserver" "dwalsh@redhat.com" "stapserver SELinux Policy documentation" ++.SH "NAME" ++stapserver_selinux \- Security Enhanced Linux Policy for the stapserver processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the stapserver processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible. ++.PP ++The following file types are defined for stapserver: ++ ++ ++.EX ++.PP ++.B stapserver_exec_t ++.EE ++ ++- Set files with the stapserver_exec_t type, if you want to transition an executable to the stapserver_t domain. ++ ++ ++.EX ++.PP ++.B stapserver_log_t ++.EE ++ ++- Set files with the stapserver_log_t type, if you want to treat the data as stapserver log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B stapserver_var_lib_t ++.EE ++ ++- Set files with the stapserver_var_lib_t type, if you want to store the stapserver files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B stapserver_var_run_t ++.EE ++ ++- Set files with the stapserver_var_run_t type, if you want to store the stapserver files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible. ++.PP ++The following process types are defined for stapserver: ++ ++.EX ++.B stapserver_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), stapserver(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8 new file mode 100644 -index 0000000..03f6069 +index 0000000..70b6674 --- /dev/null +++ b/man/man8/stunnel_selinux.8 @@ -0,0 +1,137 @@ @@ -50161,7 +51141,7 @@ index 0000000..03f6069 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50228,7 +51208,7 @@ index 0000000..03f6069 +selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8 new file mode 100644 -index 0000000..e529876 +index 0000000..833aec1 --- /dev/null +++ b/man/man8/sulogin_selinux.8 @@ -0,0 +1,91 @@ @@ -50280,7 +51260,7 @@ index 0000000..e529876 +/usr/sbin/sushell, /sbin/sulogin, /usr/sbin/sulogin, /sbin/sushell + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50325,7 +51305,7 @@ index 0000000..e529876 +selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/svc_selinux.8 b/man/man8/svc_selinux.8 new file mode 100644 -index 0000000..965dccb +index 0000000..8829e0e --- /dev/null +++ b/man/man8/svc_selinux.8 @@ -0,0 +1,129 @@ @@ -50388,7 +51368,7 @@ index 0000000..965dccb +.br +.TP 5 +Paths: -+/var/tinydns/run, /var/qmail/supervise/.*/run, /var/axfrdns/log/run, /usr/bin/setuidgid, /usr/bin/fghack, /var/tinydns/log/run, /var/service/.*/log/run, /var/axfrdns/run, /var/qmail/supervise/.*/log/run, /usr/bin/envuidgid, /usr/bin/envdir, /var/dnscache/run, /usr/bin/softlimit, /var/service/.*/run.*, /usr/bin/pgrphack, /var/dnscache/log/run, /usr/bin/setlock ++/var/tinydns/run, /var/dnscache/log/run, /var/qmail/supervise/.*/run, /var/axfrdns/log/run, /usr/bin/setuidgid, /usr/bin/fghack, /var/tinydns/log/run, /var/service/.*/log/run, /var/axfrdns/run, /var/qmail/supervise/.*/log/run, /usr/bin/envuidgid, /usr/bin/envdir, /var/dnscache/run, /usr/bin/softlimit, /var/service/.*/run.*, /usr/bin/pgrphack, /usr/bin/setlock + +.EX +.PP @@ -50415,7 +51395,7 @@ index 0000000..965dccb +/service, /var/tinydns(/.*)?, /service/.*, /var/service/.*, /var/qmail/supervise(/.*)?, /var/dnscache(/.*)?, /var/axfrdns(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50458,9 +51438,132 @@ index 0000000..965dccb + +.SH "SEE ALSO" +selinux(8), svc(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/svnserve_selinux.8 b/man/man8/svnserve_selinux.8 +new file mode 100644 +index 0000000..deeacd8 +--- /dev/null ++++ b/man/man8/svnserve_selinux.8 +@@ -0,0 +1,117 @@ ++.TH "svnserve_selinux" "8" "svnserve" "dwalsh@redhat.com" "svnserve SELinux Policy documentation" ++.SH "NAME" ++svnserve_selinux \- Security Enhanced Linux Policy for the svnserve processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the svnserve processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible. ++.PP ++The following file types are defined for svnserve: ++ ++ ++.EX ++.PP ++.B svnserve_content_t ++.EE ++ ++- Set files with the svnserve_content_t type, if you want to treat the files as svnserve content. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/subversion/repo(/.*)?, /var/subversion/repo(/.*)? ++ ++.EX ++.PP ++.B svnserve_exec_t ++.EE ++ ++- Set files with the svnserve_exec_t type, if you want to transition an executable to the svnserve_t domain. ++ ++ ++.EX ++.PP ++.B svnserve_initrc_exec_t ++.EE ++ ++- Set files with the svnserve_initrc_exec_t type, if you want to transition an executable to the svnserve_initrc_t domain. ++ ++ ++.EX ++.PP ++.B svnserve_unit_file_t ++.EE ++ ++- Set files with the svnserve_unit_file_t type, if you want to treat the files as svnserve unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/svnserve\.service, /lib/systemd/system/svnserve\.service ++ ++.EX ++.PP ++.B svnserve_var_run_t ++.EE ++ ++- Set files with the svnserve_var_run_t type, if you want to store the svnserve files under the /run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/svnserve(/.*)?, /var/run/svnserve.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible. ++.PP ++The following process types are defined for svnserve: ++ ++.EX ++.B svnserve_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), svnserve(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8 new file mode 100644 -index 0000000..50630d4 +index 0000000..e66b789 --- /dev/null +++ b/man/man8/swat_selinux.8 @@ -0,0 +1,129 @@ @@ -50524,7 +51627,7 @@ index 0000000..50630d4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50831,7 +51934,7 @@ index 0000000..679f836 +selinux(8), semanage(8). diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8 new file mode 100644 -index 0000000..789af30 +index 0000000..838078a --- /dev/null +++ b/man/man8/syslogd_selinux.8 @@ -0,0 +1,195 @@ @@ -50855,14 +51958,14 @@ index 0000000..789af30 +.EE + +.PP -+If you want to allow syslogd the ability to read/write terminal, you must turn on the logging_syslogd_use_tty boolean. ++If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean. + +.EX +.B setsebool -P logging_syslogd_use_tty 1 +.EE + +.PP -+If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. + +.EX +.B setsebool -P logging_syslogd_can_sendmail 1 @@ -50912,7 +52015,7 @@ index 0000000..789af30 +.br +.TP 5 +Paths: -+/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /usr/lib/systemd/systemd-kmsg-syslogd, /sbin/syslogd, /sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /sbin/minilogd ++/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /usr/lib/systemd/systemd-kmsg-syslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd + +.EX +.PP @@ -50955,7 +52058,7 @@ index 0000000..789af30 +/var/run/syslogd\.pid, /var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51033,7 +52136,7 @@ index 0000000..789af30 \ No newline at end of file diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8 new file mode 100644 -index 0000000..da849d6 +index 0000000..752b8da --- /dev/null +++ b/man/man8/sysstat_selinux.8 @@ -0,0 +1,103 @@ @@ -51097,7 +52200,7 @@ index 0000000..da849d6 +/var/log/sysstat(/.*)?, /var/log/sa(/.*)?, /var/log/atsar(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51142,7 +52245,7 @@ index 0000000..da849d6 +selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/system_selinux.8 b/man/man8/system_selinux.8 new file mode 100644 -index 0000000..4f13780 +index 0000000..6ad303f --- /dev/null +++ b/man/man8/system_selinux.8 @@ -0,0 +1,350 @@ @@ -51180,7 +52283,7 @@ index 0000000..4f13780 +.EE + +.PP -+If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. + +.EX +.B setsebool -P clamscan_can_scan_system 1 @@ -51334,7 +52437,7 @@ index 0000000..4f13780 +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files ++/usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files + +.EX +.PP @@ -51449,7 +52552,7 @@ index 0000000..4f13780 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51499,7 +52602,7 @@ index 0000000..4f13780 \ No newline at end of file diff --git a/man/man8/systemd_selinux.8 b/man/man8/systemd_selinux.8 new file mode 100644 -index 0000000..0b8e918 +index 0000000..daf7004 --- /dev/null +++ b/man/man8/systemd_selinux.8 @@ -0,0 +1,226 @@ @@ -51537,7 +52640,7 @@ index 0000000..0b8e918 +.EE + +.PP -+If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. + +.EX +.B setsebool -P clamscan_can_scan_system 1 @@ -51682,7 +52785,7 @@ index 0000000..0b8e918 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51732,7 +52835,7 @@ index 0000000..0b8e918 \ No newline at end of file diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8 new file mode 100644 -index 0000000..1bc9697 +index 0000000..0f29f20 --- /dev/null +++ b/man/man8/tcpd_selinux.8 @@ -0,0 +1,110 @@ @@ -51799,7 +52902,7 @@ index 0000000..1bc9697 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51849,7 +52952,7 @@ index 0000000..1bc9697 \ No newline at end of file diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8 new file mode 100644 -index 0000000..0edc1da +index 0000000..e16b7a1 --- /dev/null +++ b/man/man8/tcsd_selinux.8 @@ -0,0 +1,129 @@ @@ -51913,7 +53016,7 @@ index 0000000..0edc1da + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51984,7 +53087,7 @@ index 0000000..0edc1da +selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/telepathy_selinux.8 b/man/man8/telepathy_selinux.8 new file mode 100644 -index 0000000..8ea175b +index 0000000..aca274f --- /dev/null +++ b/man/man8/telepathy_selinux.8 @@ -0,0 +1,321 @@ @@ -52262,7 +53365,7 @@ index 0000000..8ea175b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52312,7 +53415,7 @@ index 0000000..8ea175b \ No newline at end of file diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8 new file mode 100644 -index 0000000..a7dc2aa +index 0000000..053c28a --- /dev/null +++ b/man/man8/telnetd_selinux.8 @@ -0,0 +1,141 @@ @@ -52388,7 +53491,7 @@ index 0000000..a7dc2aa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52459,7 +53562,7 @@ index 0000000..a7dc2aa +selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8 new file mode 100644 -index 0000000..7c880cc +index 0000000..a3dee82 --- /dev/null +++ b/man/man8/tftpd_selinux.8 @@ -0,0 +1,179 @@ @@ -52573,7 +53676,7 @@ index 0000000..7c880cc +/tftpboot/.*, /tftpboot + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52644,7 +53747,7 @@ index 0000000..7c880cc +selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8 new file mode 100644 -index 0000000..a134111 +index 0000000..6882c89 --- /dev/null +++ b/man/man8/tgtd_selinux.8 @@ -0,0 +1,113 @@ @@ -52718,7 +53821,7 @@ index 0000000..a134111 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52848,7 +53951,7 @@ index 0000000..c7f6423 +selinux(8), thin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8 new file mode 100644 -index 0000000..0177855 +index 0000000..99425cf --- /dev/null +++ b/man/man8/thumb_selinux.8 @@ -0,0 +1,107 @@ @@ -52897,7 +54000,7 @@ index 0000000..0177855 +.br +.TP 5 +Paths: -+/usr/bin/whaaw-thumbnailer, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/[^/]*thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/shotwell-video-thumbnailer, /usr/bin/gsf-office-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/totem-video-thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)? ++/usr/bin/whaaw-thumbnailer, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/[^/]*thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/shotwell-video-thumbnailer, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gnome-[^/]*-thumbnailer(.sh)? + +.EX +.PP @@ -52916,7 +54019,7 @@ index 0000000..0177855 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52961,7 +54064,7 @@ index 0000000..0177855 +selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8 new file mode 100644 -index 0000000..2f35c84 +index 0000000..5dbbf85 --- /dev/null +++ b/man/man8/tmpreaper_selinux.8 @@ -0,0 +1,91 @@ @@ -53013,7 +54116,7 @@ index 0000000..2f35c84 +/usr/sbin/tmpwatch, /usr/sbin/tmpreaper + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53056,9 +54159,136 @@ index 0000000..2f35c84 + +.SH "SEE ALSO" +selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/tomcat_selinux.8 b/man/man8/tomcat_selinux.8 +new file mode 100644 +index 0000000..0d35133 +--- /dev/null ++++ b/man/man8/tomcat_selinux.8 +@@ -0,0 +1,121 @@ ++.TH "tomcat_selinux" "8" "tomcat" "dwalsh@redhat.com" "tomcat SELinux Policy documentation" ++.SH "NAME" ++tomcat_selinux \- Security Enhanced Linux Policy for the tomcat processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the tomcat processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible. ++.PP ++The following file types are defined for tomcat: ++ ++ ++.EX ++.PP ++.B tomcat_cache_t ++.EE ++ ++- Set files with the tomcat_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B tomcat_exec_t ++.EE ++ ++- Set files with the tomcat_exec_t type, if you want to transition an executable to the tomcat_t domain. ++ ++ ++.EX ++.PP ++.B tomcat_log_t ++.EE ++ ++- Set files with the tomcat_log_t type, if you want to treat the data as tomcat log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B tomcat_tmp_t ++.EE ++ ++- Set files with the tomcat_tmp_t type, if you want to store tomcat temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B tomcat_unit_file_t ++.EE ++ ++- Set files with the tomcat_unit_file_t type, if you want to treat the files as tomcat unit content. ++ ++ ++.EX ++.PP ++.B tomcat_var_lib_t ++.EE ++ ++- Set files with the tomcat_var_lib_t type, if you want to store the tomcat files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B tomcat_var_run_t ++.EE ++ ++- Set files with the tomcat_var_run_t type, if you want to store the tomcat files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible. ++.PP ++The following process types are defined for tomcat: ++ ++.EX ++.B tomcat_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), tomcat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8 new file mode 100644 -index 0000000..3a97e32 +index 0000000..fee5733 --- /dev/null +++ b/man/man8/tor_selinux.8 @@ -0,0 +1,195 @@ @@ -53173,7 +54403,7 @@ index 0000000..3a97e32 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53260,7 +54490,7 @@ index 0000000..3a97e32 \ No newline at end of file diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8 new file mode 100644 -index 0000000..af7a872 +index 0000000..480158c --- /dev/null +++ b/man/man8/traceroute_selinux.8 @@ -0,0 +1,117 @@ @@ -53312,7 +54542,7 @@ index 0000000..af7a872 +/bin/tracepath.*, /usr/sbin/mtr, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53383,7 +54613,7 @@ index 0000000..af7a872 +selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8 new file mode 100644 -index 0000000..57d21c7 +index 0000000..fa0b060 --- /dev/null +++ b/man/man8/tuned_selinux.8 @@ -0,0 +1,135 @@ @@ -53456,7 +54686,7 @@ index 0000000..57d21c7 +.br +.TP 5 +Paths: -+/var/log/tuned(/.*)?, /var/log/tuned\.log ++/var/log/tuned\.log.*, /var/log/tuned(/.*)? + +.EX +.PP @@ -53479,7 +54709,7 @@ index 0000000..57d21c7 +/var/run/tuned(/.*)?, /var/run/tuned\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53524,7 +54754,7 @@ index 0000000..57d21c7 +selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8 new file mode 100644 -index 0000000..fd62159 +index 0000000..99e344a --- /dev/null +++ b/man/man8/tvtime_selinux.8 @@ -0,0 +1,97 @@ @@ -53582,7 +54812,7 @@ index 0000000..fd62159 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53627,7 +54857,7 @@ index 0000000..fd62159 +selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8 new file mode 100644 -index 0000000..995f726 +index 0000000..5d64458 --- /dev/null +++ b/man/man8/udev_selinux.8 @@ -0,0 +1,131 @@ @@ -53684,7 +54914,7 @@ index 0000000..995f726 +.br +.TP 5 +Paths: -+/lib/udev/udevd, /usr/bin/udevinfo, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/sbin/start_udev, /usr/sbin/udev, /sbin/wait_for_sysfs, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/lib/systemd/systemd-udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd ++/lib/udev/udevd, /usr/bin/udevinfo, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/sbin/start_udev, /usr/sbin/udev, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /sbin/wait_for_sysfs, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/lib/systemd/systemd-udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd + +.EX +.PP @@ -53719,7 +54949,7 @@ index 0000000..995f726 +/var/run/udev(/.*)?, /dev/\.udevdb, /var/run/PackageKit/udev(/.*)?, /dev/\.udev(/.*)?, /dev/udev\.tbl, /var/run/libgpod(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53764,7 +54994,7 @@ index 0000000..995f726 +selinux(8), udev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8 new file mode 100644 -index 0000000..7e31875 +index 0000000..996fdd3 --- /dev/null +++ b/man/man8/ulogd_selinux.8 @@ -0,0 +1,105 @@ @@ -53830,7 +55060,7 @@ index 0000000..7e31875 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53875,7 +55105,7 @@ index 0000000..7e31875 +selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8 new file mode 100644 -index 0000000..e33f74d +index 0000000..f128c0a --- /dev/null +++ b/man/man8/uml_selinux.8 @@ -0,0 +1,121 @@ @@ -53957,7 +55187,7 @@ index 0000000..e33f74d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54002,7 +55232,7 @@ index 0000000..e33f74d +selinux(8), uml(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8 new file mode 100644 -index 0000000..f2d638d +index 0000000..1f8a4a7 --- /dev/null +++ b/man/man8/unconfined_selinux.8 @@ -0,0 +1,141 @@ @@ -54019,7 +55249,7 @@ index 0000000..f2d638d + + +.PP -+If you want to allow database admins to execute DML statemen, you must turn on the sepgsql_unconfined_dbadm boolean. ++If you want to allow database admins to execute DML statement, you must turn on the sepgsql_unconfined_dbadm boolean. + +.EX +.B setsebool -P sepgsql_unconfined_dbadm 1 @@ -54033,28 +55263,28 @@ index 0000000..f2d638d +.EE + +.PP -+If you want to allow a user to login as an unconfined domai, you must turn on the unconfined_login boolean. ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. + +.EX +.B setsebool -P unconfined_login 1 +.EE + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. + +.EX +.B setsebool -P unconfined_chrome_sandbox_transition 1 +.EE + +.PP -+If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean. ++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. + +.EX +.B setsebool -P samba_run_unconfined 1 +.EE + +.PP -+If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean. ++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. + +.EX +.B setsebool -P unconfined_mplayer 1 @@ -54100,7 +55330,7 @@ index 0000000..f2d638d +/usr/sbin/xrdp, /usr/sbin/xrdp-sesman, /usr/bin/vncserver + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54150,7 +55380,7 @@ index 0000000..f2d638d \ No newline at end of file diff --git a/man/man8/update_selinux.8 b/man/man8/update_selinux.8 new file mode 100644 -index 0000000..252ec75 +index 0000000..709a167 --- /dev/null +++ b/man/man8/update_selinux.8 @@ -0,0 +1,85 @@ @@ -54196,7 +55426,7 @@ index 0000000..252ec75 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54241,7 +55471,7 @@ index 0000000..252ec75 +selinux(8), update(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8 new file mode 100644 -index 0000000..d7cb248 +index 0000000..fea0af1 --- /dev/null +++ b/man/man8/updfstab_selinux.8 @@ -0,0 +1,91 @@ @@ -54293,7 +55523,7 @@ index 0000000..d7cb248 +/usr/sbin/updfstab, /usr/sbin/fstab-sync + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54338,7 +55568,7 @@ index 0000000..d7cb248 +selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8 new file mode 100644 -index 0000000..c302ebe +index 0000000..48588e9 --- /dev/null +++ b/man/man8/updpwd_selinux.8 @@ -0,0 +1,91 @@ @@ -54390,7 +55620,7 @@ index 0000000..c302ebe +/sbin/unix_update, /usr/sbin/unix_update + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54435,7 +55665,7 @@ index 0000000..c302ebe +selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8 new file mode 100644 -index 0000000..532a0c5 +index 0000000..7a8990c --- /dev/null +++ b/man/man8/usbmodules_selinux.8 @@ -0,0 +1,77 @@ @@ -54473,7 +55703,7 @@ index 0000000..532a0c5 +/usr/sbin/usbmodules, /sbin/usbmodules + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54518,7 +55748,7 @@ index 0000000..532a0c5 +selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8 new file mode 100644 -index 0000000..f7902e5 +index 0000000..2e76cd8 --- /dev/null +++ b/man/man8/usbmuxd_selinux.8 @@ -0,0 +1,95 @@ @@ -54574,7 +55804,7 @@ index 0000000..f7902e5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54819,7 +56049,7 @@ index 0000000..a2082e9 +selinux(8), semanage(8). diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8 new file mode 100644 -index 0000000..a32bbec +index 0000000..6e4f849 --- /dev/null +++ b/man/man8/useradd_selinux.8 @@ -0,0 +1,91 @@ @@ -54871,7 +56101,7 @@ index 0000000..a32bbec +/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/newusers + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54916,7 +56146,7 @@ index 0000000..a32bbec +selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8 new file mode 100644 -index 0000000..cf7a33b +index 0000000..8d70cce --- /dev/null +++ b/man/man8/usernetctl_selinux.8 @@ -0,0 +1,87 @@ @@ -54964,7 +56194,7 @@ index 0000000..cf7a33b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55009,7 +56239,7 @@ index 0000000..cf7a33b +selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8 new file mode 100644 -index 0000000..34af4de +index 0000000..1016d5f --- /dev/null +++ b/man/man8/utempter_selinux.8 @@ -0,0 +1,87 @@ @@ -55057,7 +56287,7 @@ index 0000000..34af4de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55102,7 +56332,7 @@ index 0000000..34af4de +selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8 new file mode 100644 -index 0000000..43406f1 +index 0000000..7f7f531 --- /dev/null +++ b/man/man8/uucpd_selinux.8 @@ -0,0 +1,173 @@ @@ -55210,7 +56440,7 @@ index 0000000..43406f1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55281,7 +56511,7 @@ index 0000000..43406f1 +selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8 new file mode 100644 -index 0000000..3dfe015 +index 0000000..6a802e0 --- /dev/null +++ b/man/man8/uuidd_selinux.8 @@ -0,0 +1,97 @@ @@ -55339,7 +56569,7 @@ index 0000000..3dfe015 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55384,7 +56614,7 @@ index 0000000..3dfe015 +selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8 new file mode 100644 -index 0000000..6116416 +index 0000000..94f9b00 --- /dev/null +++ b/man/man8/uux_selinux.8 @@ -0,0 +1,87 @@ @@ -55432,7 +56662,7 @@ index 0000000..6116416 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55477,7 +56707,7 @@ index 0000000..6116416 +selinux(8), uux(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8 new file mode 100644 -index 0000000..e1852e6 +index 0000000..5e7b955 --- /dev/null +++ b/man/man8/varnishd_selinux.8 @@ -0,0 +1,168 @@ @@ -55576,7 +56806,7 @@ index 0000000..e1852e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55652,7 +56882,7 @@ index 0000000..e1852e6 \ No newline at end of file diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8 new file mode 100644 -index 0000000..aec0070 +index 0000000..4f51e3f --- /dev/null +++ b/man/man8/varnishlog_selinux.8 @@ -0,0 +1,109 @@ @@ -55722,7 +56952,7 @@ index 0000000..aec0070 +/var/run/varnishncsa\.pid, /var/run/varnishlog\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55767,7 +56997,7 @@ index 0000000..aec0070 +selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8 new file mode 100644 -index 0000000..a380712 +index 0000000..502e672 --- /dev/null +++ b/man/man8/vbetool_selinux.8 @@ -0,0 +1,88 @@ @@ -55812,7 +57042,7 @@ index 0000000..a380712 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55862,7 +57092,7 @@ index 0000000..a380712 \ No newline at end of file diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8 new file mode 100644 -index 0000000..bdcb173 +index 0000000..f8c8221 --- /dev/null +++ b/man/man8/vdagent_selinux.8 @@ -0,0 +1,97 @@ @@ -55905,7 +57135,7 @@ index 0000000..bdcb173 +.br +.TP 5 +Paths: -+/var/log/spice-vdagentd(/.*)?, /var/log/spice-vdagentd\.log ++/var/log/spice-vdagentd\.log.*, /var/log/spice-vdagentd(/.*)? + +.EX +.PP @@ -55920,7 +57150,7 @@ index 0000000..bdcb173 +/var/run/spice-vdagentd.\pid, /var/run/spice-vdagentd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55965,7 +57195,7 @@ index 0000000..bdcb173 +selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8 new file mode 100644 -index 0000000..3f35c18 +index 0000000..f840982 --- /dev/null +++ b/man/man8/vhostmd_selinux.8 @@ -0,0 +1,111 @@ @@ -56037,7 +57267,7 @@ index 0000000..3f35c18 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56082,10 +57312,10 @@ index 0000000..3f35c18 +selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8 new file mode 100644 -index 0000000..7b63ffc +index 0000000..f603d57 --- /dev/null +++ b/man/man8/virsh_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,91 @@ +.TH "virsh_selinux" "8" "virsh" "dwalsh@redhat.com" "virsh SELinux Policy documentation" +.SH "NAME" +virsh_selinux \- Security Enhanced Linux Policy for the virsh processes @@ -56128,9 +57358,13 @@ index 0000000..7b63ffc + +- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/virt-sandbox-service.*, /usr/bin/virsh + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56175,10 +57409,10 @@ index 0000000..7b63ffc +selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8 new file mode 100644 -index 0000000..f7d1708 +index 0000000..8dc1d8d --- /dev/null +++ b/man/man8/virt_selinux.8 -@@ -0,0 +1,365 @@ +@@ -0,0 +1,373 @@ +.TH "virt_selinux" "8" "virt" "dwalsh@redhat.com" "virt SELinux Policy documentation" +.SH "NAME" +virt_selinux \- Security Enhanced Linux Policy for the virt processes @@ -56192,63 +57426,63 @@ index 0000000..f7d1708 + + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. + +.EX +.B setsebool -P virt_use_nfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to use serial/parallel communication port, you must turn on the virt_use_comm boolean. ++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. + +.EX +.B setsebool -P virt_use_comm 1 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. + +.EX +.B setsebool -P virt_use_xserver 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage device configuration, (pci, you must turn on the virt_use_sysfs boolean. ++If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean. + +.EX +.B setsebool -P virt_use_sysfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. ++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. + +.EX +.B setsebool -P virt_use_sanlock 1 +.EE + +.PP -+If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean. ++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. + +.EX +.B setsebool -P virt_use_execmem 1 +.EE + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. ++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. + +.EX +.B setsebool -P virt_use_fusefs 1 +.EE + +.PP -+If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean. ++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. + +.EX +.B setsebool -P virt_use_usb 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. + +.EX +.B setsebool -P virt_use_samba 1 @@ -56359,6 +57593,14 @@ index 0000000..f7d1708 + +.EX +.PP ++.B virt_lock_t ++.EE ++ ++- Set files with the virt_lock_t type, if you want to treat the files as virt lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP +.B virt_log_t +.EE + @@ -56419,7 +57661,7 @@ index 0000000..f7d1708 +.br +.TP 5 +Paths: -+/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)? ++/var/run/vdsm(/.*)?, /var/run/libguestfs(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)? + +.EX +.PP @@ -56458,7 +57700,7 @@ index 0000000..f7d1708 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56547,7 +57789,7 @@ index 0000000..f7d1708 \ No newline at end of file diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8 new file mode 100644 -index 0000000..b6b2fd4 +index 0000000..196fc17 --- /dev/null +++ b/man/man8/virtd_selinux.8 @@ -0,0 +1,225 @@ @@ -56564,63 +57806,63 @@ index 0000000..b6b2fd4 + + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. + +.EX +.B setsebool -P virt_use_nfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to use serial/parallel communication port, you must turn on the virt_use_comm boolean. ++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. + +.EX +.B setsebool -P virt_use_comm 1 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. + +.EX +.B setsebool -P virt_use_xserver 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage device configuration, (pci, you must turn on the virt_use_sysfs boolean. ++If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean. + +.EX +.B setsebool -P virt_use_sysfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. ++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. + +.EX +.B setsebool -P virt_use_sanlock 1 +.EE + +.PP -+If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean. ++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. + +.EX +.B setsebool -P virt_use_execmem 1 +.EE + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. ++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. + +.EX +.B setsebool -P virt_use_fusefs 1 +.EE + +.PP -+If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean. ++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. + +.EX +.B setsebool -P virt_use_usb 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. + +.EX +.B setsebool -P virt_use_samba 1 @@ -56690,7 +57932,7 @@ index 0000000..b6b2fd4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56779,7 +58021,7 @@ index 0000000..b6b2fd4 \ No newline at end of file diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8 new file mode 100644 -index 0000000..a334b41 +index 0000000..3db3dd5 --- /dev/null +++ b/man/man8/vlock_selinux.8 @@ -0,0 +1,87 @@ @@ -56827,7 +58069,7 @@ index 0000000..a334b41 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56872,7 +58114,7 @@ index 0000000..a334b41 +selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8 new file mode 100644 -index 0000000..7ce75e5 +index 0000000..ab1f549 --- /dev/null +++ b/man/man8/vmware_selinux.8 @@ -0,0 +1,169 @@ @@ -57002,7 +58244,7 @@ index 0000000..7ce75e5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57047,7 +58289,7 @@ index 0000000..7ce75e5 +selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8 new file mode 100644 -index 0000000..c497c1b +index 0000000..90431d7 --- /dev/null +++ b/man/man8/vnstat_selinux.8 @@ -0,0 +1,97 @@ @@ -57105,7 +58347,7 @@ index 0000000..c497c1b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57150,7 +58392,7 @@ index 0000000..c497c1b +selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8 new file mode 100644 -index 0000000..ee13308 +index 0000000..7fdefeb --- /dev/null +++ b/man/man8/vnstatd_selinux.8 @@ -0,0 +1,89 @@ @@ -57200,7 +58442,7 @@ index 0000000..ee13308 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57245,7 +58487,7 @@ index 0000000..ee13308 +selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8 new file mode 100644 -index 0000000..cabfeb1 +index 0000000..3c115fb --- /dev/null +++ b/man/man8/vpnc_selinux.8 @@ -0,0 +1,107 @@ @@ -57313,7 +58555,7 @@ index 0000000..cabfeb1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57358,7 +58600,7 @@ index 0000000..cabfeb1 +selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8 new file mode 100644 -index 0000000..1d1a204 +index 0000000..3ad930d --- /dev/null +++ b/man/man8/wdmd_selinux.8 @@ -0,0 +1,103 @@ @@ -57422,7 +58664,7 @@ index 0000000..1d1a204 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57538,7 +58780,7 @@ index 0000000..072a0c0 +selinux(8), semanage(8). diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8 new file mode 100644 -index 0000000..b4575fa +index 0000000..67e4921 --- /dev/null +++ b/man/man8/webalizer_selinux.8 @@ -0,0 +1,131 @@ @@ -57630,7 +58872,7 @@ index 0000000..b4575fa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57675,7 +58917,7 @@ index 0000000..b4575fa +selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8 new file mode 100644 -index 0000000..5be2428 +index 0000000..663ec66 --- /dev/null +++ b/man/man8/winbind_selinux.8 @@ -0,0 +1,130 @@ @@ -57692,7 +58934,7 @@ index 0000000..5be2428 + + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. + +.EX +.B setsebool -P httpd_mod_auth_ntlm_winbind 1 @@ -57762,7 +59004,7 @@ index 0000000..5be2428 +/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)?, /var/run/samba/winbindd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57812,7 +59054,7 @@ index 0000000..5be2428 \ No newline at end of file diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8 new file mode 100644 -index 0000000..8bce1e7 +index 0000000..10fe614 --- /dev/null +++ b/man/man8/wine_selinux.8 @@ -0,0 +1,100 @@ @@ -57869,7 +59111,7 @@ index 0000000..8bce1e7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57919,7 +59161,7 @@ index 0000000..8bce1e7 \ No newline at end of file diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8 new file mode 100644 -index 0000000..f195e54 +index 0000000..c7544cc --- /dev/null +++ b/man/man8/wireshark_selinux.8 @@ -0,0 +1,111 @@ @@ -57991,7 +59233,7 @@ index 0000000..f195e54 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58036,7 +59278,7 @@ index 0000000..f195e54 +selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/wpa_selinux.8 b/man/man8/wpa_selinux.8 new file mode 100644 -index 0000000..6c081d0 +index 0000000..2d45137 --- /dev/null +++ b/man/man8/wpa_selinux.8 @@ -0,0 +1,77 @@ @@ -58074,7 +59316,7 @@ index 0000000..6c081d0 +/usr/sbin/wpa_cli, /sbin/wpa_cli + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58119,7 +59361,7 @@ index 0000000..6c081d0 +selinux(8), wpa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8 new file mode 100644 -index 0000000..7d613d7 +index 0000000..cd01807 --- /dev/null +++ b/man/man8/xauth_selinux.8 @@ -0,0 +1,111 @@ @@ -58191,7 +59433,7 @@ index 0000000..7d613d7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58236,7 +59478,7 @@ index 0000000..7d613d7 +selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8 new file mode 100644 -index 0000000..729ab4a +index 0000000..8fdf373 --- /dev/null +++ b/man/man8/xdm_selinux.8 @@ -0,0 +1,257 @@ @@ -58253,14 +59495,14 @@ index 0000000..729ab4a + + +.PP -+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_, you must turn on the xdm_sysadm_login boolean. ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. + +.EX +.B setsebool -P xdm_sysadm_login 1 +.EE + +.PP -+If you want to allow the graphical login program to execute bootloade, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. + +.EX +.B setsebool -P xdm_exec_bootloader 1 @@ -58422,7 +59664,7 @@ index 0000000..729ab4a +/etc/kde[34]?/kdm/backgroundrc, /var/run/slim.*, /var/run/lxdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/systemd/multi-session-x(/.*)?, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/[kgm]dm(/.*)?, /var/run/slim(/.*)?, /var/run/gdm_socket, /var/run/lxdm\.pid, /var/run/lightdm(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58464,7 +59706,7 @@ index 0000000..729ab4a +The following process types are defined for xdm: + +.EX -+.B xdm_t, xdm_dbusd_t, xdm_unconfined_t ++.B xdm_t, xdm_dbusd_t +.EE +.PP +Note: @@ -58500,7 +59742,7 @@ index 0000000..729ab4a \ No newline at end of file diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8 new file mode 100644 -index 0000000..1693d56 +index 0000000..ace8c33 --- /dev/null +++ b/man/man8/xenconsoled_selinux.8 @@ -0,0 +1,81 @@ @@ -58542,7 +59784,7 @@ index 0000000..1693d56 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58587,7 +59829,7 @@ index 0000000..1693d56 +selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8 new file mode 100644 -index 0000000..bd5ca3c +index 0000000..6d13960 --- /dev/null +++ b/man/man8/xend_selinux.8 @@ -0,0 +1,172 @@ @@ -58604,7 +59846,7 @@ index 0000000..bd5ca3c + + +.PP -+If you want to allow xen to manage nfs file, you must turn on the xen_use_nfs boolean. ++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. + +.EX +.B setsebool -P xen_use_nfs 1 @@ -58675,7 +59917,7 @@ index 0000000..bd5ca3c +.br +.TP 5 +Paths: -+/var/log/xen(/.*)?, /var/log/xen-hotplug\.log, /var/log/xend\.log, /var/log/xend-debug\.log ++/var/log/xen-hotplug\.log.*, /var/log/xen(/.*)?, /var/log/xend-debug\.log.*, /var/log/xend\.log.* + +.EX +.PP @@ -58690,7 +59932,7 @@ index 0000000..bd5ca3c +/var/run/xenner(/.*)?, /var/run/xend(/.*)?, /var/run/xend\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58766,7 +60008,7 @@ index 0000000..bd5ca3c \ No newline at end of file diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8 new file mode 100644 -index 0000000..b799204 +index 0000000..6143bee --- /dev/null +++ b/man/man8/xenstored_selinux.8 @@ -0,0 +1,109 @@ @@ -58836,7 +60078,7 @@ index 0000000..b799204 +/var/run/xenstore\.pid, /var/run/xenstored(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59118,7 +60360,7 @@ index 0000000..2478817 +selinux(8), semanage(8). diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8 new file mode 100644 -index 0000000..e104d51 +index 0000000..ac568e6 --- /dev/null +++ b/man/man8/xserver_selinux.8 @@ -0,0 +1,193 @@ @@ -59135,21 +60377,21 @@ index 0000000..e104d51 + + +.PP -+If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean. ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. + +.EX +.B setsebool -P xserver_object_manager 1 +.EE + +.PP -+If you want to allows XServer to execute writable memor, you must turn on the xserver_execmem boolean. ++If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean. + +.EX +.B setsebool -P xserver_execmem 1 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. + +.EX +.B setsebool -P virt_use_xserver 1 @@ -59242,7 +60484,7 @@ index 0000000..e104d51 +/var/run/xorg(/.*)?, /var/run/video.rom + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59317,7 +60559,7 @@ index 0000000..e104d51 +, setsebool(8) \ No newline at end of file diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 -index 5061a5f..474160f 100644 +index 5061a5f..a89264a 100644 --- a/man/man8/ypbind_selinux.8 +++ b/man/man8/ypbind_selinux.8 @@ -1,19 +1,109 @@ @@ -59398,7 +60640,7 @@ index 5061a5f..474160f 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59445,7 +60687,7 @@ index 5061a5f..474160f 100644 +selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8 new file mode 100644 -index 0000000..982aeba +index 0000000..2881e38 --- /dev/null +++ b/man/man8/yppasswdd_selinux.8 @@ -0,0 +1,85 @@ @@ -59491,7 +60733,7 @@ index 0000000..982aeba + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59536,7 +60778,7 @@ index 0000000..982aeba +selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8 new file mode 100644 -index 0000000..3ba6a0a +index 0000000..8206c6b --- /dev/null +++ b/man/man8/ypserv_selinux.8 @@ -0,0 +1,97 @@ @@ -59594,7 +60836,7 @@ index 0000000..3ba6a0a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59639,7 +60881,7 @@ index 0000000..3ba6a0a +selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8 new file mode 100644 -index 0000000..a6a3716 +index 0000000..a5abcec --- /dev/null +++ b/man/man8/ypxfr_selinux.8 @@ -0,0 +1,85 @@ @@ -59685,7 +60927,7 @@ index 0000000..a6a3716 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59730,7 +60972,7 @@ index 0000000..a6a3716 +selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8 new file mode 100644 -index 0000000..91db3b2 +index 0000000..583271e --- /dev/null +++ b/man/man8/zabbix_selinux.8 @@ -0,0 +1,210 @@ @@ -59747,14 +60989,14 @@ index 0000000..91db3b2 + + +.PP -+If you want to allow zabbix to connect to unreserved port, you must turn on the zabbix_can_network boolean. ++If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean. + +.EX +.B setsebool -P zabbix_can_network 1 +.EE + +.PP -+If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean. ++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. + +.EX +.B setsebool -P httpd_can_connect_zabbix 1 @@ -59860,7 +61102,7 @@ index 0000000..91db3b2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -59947,7 +61189,7 @@ index 0000000..91db3b2 \ No newline at end of file diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8 new file mode 100644 -index 0000000..47f7399 +index 0000000..3937f44 --- /dev/null +++ b/man/man8/zarafa_selinux.8 @@ -0,0 +1,333 @@ @@ -60215,7 +61457,7 @@ index 0000000..47f7399 +/var/lib/zarafa-webaccess(/.*)?, /var/lib/zarafa(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -60286,7 +61528,7 @@ index 0000000..47f7399 +selinux(8), zarafa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8 new file mode 100644 -index 0000000..56e8ffe +index 0000000..29db127 --- /dev/null +++ b/man/man8/zebra_selinux.8 @@ -0,0 +1,176 @@ @@ -60303,7 +61545,7 @@ index 0000000..56e8ffe + + +.PP -+If you want to allow zebra daemon to write it configuration file, you must turn on the zebra_write_config boolean. ++If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. + +.EX +.B setsebool -P zebra_write_config 1 @@ -60391,7 +61633,7 @@ index 0000000..56e8ffe +/var/run/\.zserv, /var/run/\.zebra, /var/run/quagga(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -60469,7 +61711,7 @@ index 0000000..56e8ffe \ No newline at end of file diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8 new file mode 100644 -index 0000000..2c64f7b +index 0000000..810320c --- /dev/null +++ b/man/man8/zoneminder_selinux.8 @@ -0,0 +1,173 @@ @@ -60568,7 +61810,7 @@ index 0000000..2c64f7b +.br +.TP 5 +Paths: -+/var/log/zoneminder(/.*)?, /var/log/motion\.log ++/var/log/zoneminder(/.*)?, /var/log/motion\.log.* + +.EX +.PP @@ -60603,7 +61845,7 @@ index 0000000..2c64f7b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -60648,7 +61890,7 @@ index 0000000..2c64f7b +selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zos_selinux.8 b/man/man8/zos_selinux.8 new file mode 100644 -index 0000000..a244707 +index 0000000..ec9a6d7 --- /dev/null +++ b/man/man8/zos_selinux.8 @@ -0,0 +1,91 @@ @@ -60700,7 +61942,7 @@ index 0000000..a244707 +/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -61543,7 +62785,7 @@ index c6ca761..46e0767 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index e0791b9..98d188e 100644 +index e0791b9..9d5a8c0 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms; @@ -61554,16 +62796,18 @@ index e0791b9..98d188e 100644 manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) -@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) +@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) kernel_read_all_sysctls(netutils_t) +kernel_read_network_state(netutils_t) +kernel_request_load_module(netutils_t) - corenet_all_recvfrom_unlabeled(netutils_t) +-corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) -@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t) + corenet_tcp_sendrecv_generic_if(netutils_t) + corenet_raw_sendrecv_generic_if(netutils_t) +@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) @@ -61573,7 +62817,7 @@ index e0791b9..98d188e 100644 fs_getattr_xattr_fs(netutils_t) -@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t) +@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) term_dontaudit_use_console(netutils_t) @@ -61582,7 +62826,7 @@ index e0791b9..98d188e 100644 userdom_use_all_users_fds(netutils_t) optional_policy(` -@@ -104,6 +110,8 @@ optional_policy(` +@@ -104,13 +109,14 @@ optional_policy(` # allow ping_t self:capability { setuid net_raw }; @@ -61591,7 +62835,14 @@ index e0791b9..98d188e 100644 dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; -@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t) + allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; + allow ping_t self:netlink_route_socket create_netlink_socket_perms; + +-corenet_all_recvfrom_unlabeled(ping_t) + corenet_all_recvfrom_netlabel(ping_t) + corenet_tcp_sendrecv_generic_if(ping_t) + corenet_raw_sendrecv_generic_if(ping_t) +@@ -134,8 +140,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) @@ -61600,7 +62851,7 @@ index e0791b9..98d188e 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',` +@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -61626,7 +62877,7 @@ index e0791b9..98d188e 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -157,6 +177,10 @@ optional_policy(` +@@ -157,6 +175,10 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -61637,7 +62888,15 @@ index e0791b9..98d188e 100644 ######################################## # # Traceroute local policy -@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -170,7 +192,6 @@ allow traceroute_t self:udp_socket create_socket_perms; + kernel_read_system_state(traceroute_t) + kernel_read_network_state(traceroute_t) + +-corenet_all_recvfrom_unlabeled(traceroute_t) + corenet_all_recvfrom_netlabel(traceroute_t) + corenet_tcp_sendrecv_generic_if(traceroute_t) + corenet_udp_sendrecv_generic_if(traceroute_t) +@@ -194,6 +215,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -61645,7 +62904,7 @@ index e0791b9..98d188e 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +226,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -63285,7 +64544,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..0ebac89 100644 +index 07126bd..a69c99d 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -63850,11 +65109,36 @@ index 07126bd..0ebac89 100644 ## Send and receive TCP network traffic on all reserved ports. ## ## -@@ -1772,7 +2106,208 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` - - ######################################## - ## --## Bind TCP sockets to all reserved ports. +@@ -1747,17 +2081,215 @@ interface(`corenet_udp_send_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_receive_all_reserved_ports',` ++interface(`corenet_udp_receive_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:udp_socket recv_msg; ++') ++ ++######################################## ++## ++## Send and receive UDP network traffic on all reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_udp_sendrecv_all_reserved_ports',` ++ corenet_udp_send_all_reserved_ports($1) ++ corenet_udp_receive_all_reserved_ports($1) ++') ++ ++######################################## ++## +## Bind DCCP sockets to all reserved ports. +## +## @@ -64029,33 +65313,40 @@ index 07126bd..0ebac89 100644 +## +# +interface(`corenet_tcp_bind_all_ephemeral_ports',` -+ gen_require(` + gen_require(` +- attribute reserved_port_type; + attribute ephemeral_port_type; -+ ') -+ + ') + +- allow $1 reserved_port_type:udp_socket recv_msg; + allow $1 ephemeral_port_type:tcp_socket name_bind; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Send and receive UDP network traffic on all reserved ports. +## Bind UDP sockets to all ports > 32768. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_sendrecv_all_reserved_ports',` +- corenet_udp_send_all_reserved_ports($1) +- corenet_udp_receive_all_reserved_ports($1) +interface(`corenet_udp_bind_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; + ') + + allow $1 ephemeral_port_type:udp_socket name_bind; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Bind TCP sockets to all reserved ports. +## Connect DCCP sockets to reserved ports. ## ## @@ -64391,54 +65682,34 @@ index 07126bd..0ebac89 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,6 +2840,31 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,7 +2840,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## +-## Receive TCP packets from an unlabled connection. +## Receive DCCP packets from an unlabled connection. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_dccp_recvfrom_unlabeled',` -+ gen_require(` -+ attribute corenet_unlabeled_type; -+ ') -+ -+ kernel_dccp_recvfrom_unlabeled($1) -+ kernel_recvfrom_unlabeled_peer($1) -+ -+ typeattribute $1 corenet_unlabeled_type; -+ # XXX - at some point the oubound/send access check will be removed -+ # but for right now we need to keep this in place so as not to break -+ # older systems -+ kernel_sendrecv_unlabeled_association($1) -+') -+ -+######################################## -+## - ## Receive TCP packets from an unlabled connection. ## ## -@@ -2222,9 +2874,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` + ## +@@ -2221,10 +2848,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` + ## ## # - interface(`corenet_tcp_recvfrom_unlabeled',` +-interface(`corenet_tcp_recvfrom_unlabeled',` +- kernel_tcp_recvfrom_unlabeled($1) ++interface(`corenet_dccp_recvfrom_unlabeled',` + gen_require(` -+ attribute corenet_unlabeled_type; ++ attribute corenet_unlabeled_type; + ') + - kernel_tcp_recvfrom_unlabeled($1) ++ kernel_dccp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) + typeattribute $1 corenet_unlabeled_type; # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2906,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2881,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -64465,7 +65736,7 @@ index 07126bd..0ebac89 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2946,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2921,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -64493,15 +65764,27 @@ index 07126bd..0ebac89 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,6 +3231,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,15 +3206,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` -+ kernel_dccp_recvfrom_unlabeled($1) - kernel_tcp_recvfrom_unlabeled($1) - kernel_udp_recvfrom_unlabeled($1) - kernel_raw_recvfrom_unlabeled($1) -@@ -2571,7 +3270,31 @@ interface(`corenet_all_recvfrom_netlabel',` +- kernel_tcp_recvfrom_unlabeled($1) +- kernel_udp_recvfrom_unlabeled($1) +- kernel_raw_recvfrom_unlabeled($1) +- kernel_recvfrom_unlabeled_peer($1) +- +- # XXX - at some point the oubound/send access check will be removed +- # but for right now we need to keep this in place so as not to break +- # older systems +- kernel_sendrecv_unlabeled_association($1) ++ gen_require(` ++ attribute corenet_unlabeled_type; ++ ') ++ typeattribute $1 corenet_unlabeled_type; + ') + + ######################################## +@@ -2571,7 +3239,31 @@ interface(`corenet_all_recvfrom_netlabel',` ') allow $1 netlabel_peer_t:peer recv; @@ -64534,7 +65817,7 @@ index 07126bd..0ebac89 100644 ') ######################################## -@@ -2585,6 +3308,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3277,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -64542,7 +65825,7 @@ index 07126bd..0ebac89 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3337,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3306,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -64579,7 +65862,7 @@ index 07126bd..0ebac89 100644 ') ######################################## -@@ -2727,6 +3479,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3448,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -64587,7 +65870,7 @@ index 07126bd..0ebac89 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3887,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3856,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -64673,7 +65956,7 @@ index 8e0f9cd..da3b374 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 97978e3..8af38f3 100644 +index 97978e3..0cc85e4 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -14,12 +14,14 @@ attribute node_type; @@ -64985,7 +66268,7 @@ index 97978e3..8af38f3 100644 ######################################## # -@@ -297,9 +377,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -297,9 +377,19 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -64998,6 +66281,15 @@ index 97978e3..8af38f3 100644 -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; ++ ++# ++# Rules coverning the use of unlabeled types ++# ++kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type) ++kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type) diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 @@ -66804,14 +68096,13 @@ index 74894d7..94d5f10 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..ffaa90a 100644 +index 6a1e4d1..eee8419 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if -@@ -75,34 +75,6 @@ interface(`domain_base_type',` - interface(`domain_type',` +@@ -76,33 +76,8 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) -- + - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) @@ -66839,10 +68130,39 @@ index 6a1e4d1..ffaa90a 100644 - optional_policy(` - seutil_dontaudit_read_config($1) - ') ++ # Only way to get corenet_unlabeled packets disabled to work ++ corenet_all_recvfrom_unlabeled($1) ') ######################################## -@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',` +@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` + + ######################################## + ## ++## Do not audit attempts to send ++## signulls to all domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`domain_dontaudit_signull_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:process signull; ++') ++ ++######################################## ++## + ## Send a stop signal to all domains. + ## + ## +@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -66851,7 +68171,7 @@ index 6a1e4d1..ffaa90a 100644 ## ## ## -@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',` +@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',` ## ## ## @@ -66860,7 +68180,7 @@ index 6a1e4d1..ffaa90a 100644 ## ## # -@@ -1356,6 +1328,24 @@ interface(`domain_manage_all_entry_files',` +@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',` ######################################## ## @@ -66885,7 +68205,7 @@ index 6a1e4d1..ffaa90a 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1520,29 @@ interface(`domain_unconfined',` +@@ -1530,4 +1543,29 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -67409,7 +68729,7 @@ index 4429d30..b8f8a82 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 41346fb..6e7808a 100644 +index 41346fb..002fe16 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -69097,7 +70417,7 @@ index 41346fb..6e7808a 100644 + attribute non_security_file_type; + ') + -+ allow $1 non_security_file_type:file_class_set unlink; ++ allow $1 non_security_file_type:file_class_set delete_file_perms; +') + +######################################## @@ -70798,7 +72118,7 @@ index 4bf45cb..712189d 100644 + dontaudit $1 sysctl_type:file getattr; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index b285b90..3e933a1 100644 +index b285b90..129a0ec 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -58,6 +58,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -70818,7 +72138,15 @@ index b285b90..3e933a1 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -244,17 +247,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -233,7 +236,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; + corenet_in_generic_if(unlabeled_t) + corenet_in_generic_node(unlabeled_t) + +-corenet_all_recvfrom_unlabeled(kernel_t) + corenet_all_recvfrom_netlabel(kernel_t) + # Kernel-generated traffic e.g., ICMP replies: + corenet_raw_sendrecv_all_if(kernel_t) +@@ -244,17 +246,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -70844,7 +72172,7 @@ index b285b90..3e933a1 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +270,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +269,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -70854,7 +72182,7 @@ index b285b90..3e933a1 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +285,47 @@ files_list_root(kernel_t) +@@ -277,25 +284,47 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -70902,7 +72230,7 @@ index b285b90..3e933a1 100644 ') optional_policy(` -@@ -305,6 +335,19 @@ optional_policy(` +@@ -305,6 +334,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -70922,7 +72250,7 @@ index b285b90..3e933a1 100644 ') optional_policy(` -@@ -334,7 +377,6 @@ optional_policy(` +@@ -334,7 +376,6 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) @@ -70930,7 +72258,7 @@ index b285b90..3e933a1 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +385,7 @@ optional_policy(` +@@ -343,9 +384,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -70941,7 +72269,7 @@ index b285b90..3e933a1 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +394,7 @@ optional_policy(` +@@ -354,7 +393,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -70950,7 +72278,7 @@ index b285b90..3e933a1 100644 ') ') -@@ -367,6 +407,15 @@ optional_policy(` +@@ -367,6 +406,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -70966,7 +72294,7 @@ index b285b90..3e933a1 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +458,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +457,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -75017,7 +76345,7 @@ index ecef19f..fcbc25a 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 6b336e7..d89449c 100644 +index 6b336e7..236e7c7 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,9 +19,9 @@ gen_require(` @@ -75051,7 +76379,15 @@ index 6b336e7..d89449c 100644 can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; -@@ -341,8 +341,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -303,7 +303,6 @@ kernel_list_proc(postgresql_t) + kernel_read_all_sysctls(postgresql_t) + kernel_read_proc_symlinks(postgresql_t) + +-corenet_all_recvfrom_unlabeled(postgresql_t) + corenet_all_recvfrom_netlabel(postgresql_t) + corenet_tcp_sendrecv_generic_if(postgresql_t) + corenet_udp_sendrecv_generic_if(postgresql_t) +@@ -341,8 +340,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -75061,7 +76397,7 @@ index 6b336e7..d89449c 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -366,7 +365,7 @@ optional_policy(` +@@ -366,7 +364,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') @@ -75104,7 +76440,7 @@ index 078bcd7..8ed5b99 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..93ec53f 100644 +index fe0c682..61070e4 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -75131,7 +76467,7 @@ index fe0c682..93ec53f 100644 ############################## # # Client local policy -@@ -89,22 +86,26 @@ template(`ssh_basic_client_template',` +@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` # or "regular" (not special like sshd_extern_t) servers allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; @@ -75166,7 +76502,11 @@ index fe0c682..93ec53f 100644 kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) -@@ -116,6 +117,8 @@ template(`ssh_basic_client_template',` + +- corenet_all_recvfrom_unlabeled($1_ssh_t) + corenet_all_recvfrom_netlabel($1_ssh_t) + corenet_tcp_sendrecv_generic_if($1_ssh_t) + corenet_tcp_sendrecv_generic_node($1_ssh_t) corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) @@ -75175,7 +76515,7 @@ index fe0c682..93ec53f 100644 dev_read_urand($1_ssh_t) -@@ -148,6 +151,29 @@ template(`ssh_basic_client_template',` +@@ -148,6 +150,29 @@ template(`ssh_basic_client_template',` ') ') @@ -75205,7 +76545,7 @@ index fe0c682..93ec53f 100644 ####################################### ## ## The template to define a ssh server. -@@ -168,7 +194,7 @@ template(`ssh_basic_client_template',` +@@ -168,7 +193,7 @@ template(`ssh_basic_client_template',` ## ## # @@ -75214,7 +76554,7 @@ index fe0c682..93ec53f 100644 type $1_t, ssh_server; auth_login_pgm_domain($1_t) -@@ -181,16 +207,18 @@ template(`ssh_server_template', ` +@@ -181,16 +206,18 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -75236,7 +76576,7 @@ index fe0c682..93ec53f 100644 term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -@@ -206,6 +234,7 @@ template(`ssh_server_template', ` +@@ -206,6 +233,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -75244,7 +76584,7 @@ index fe0c682..93ec53f 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,10 +249,13 @@ template(`ssh_server_template', ` +@@ -220,10 +248,13 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -75260,7 +76600,7 @@ index fe0c682..93ec53f 100644 auth_rw_login_records($1_t) auth_rw_faillog($1_t) -@@ -234,6 +266,7 @@ template(`ssh_server_template', ` +@@ -234,6 +265,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -75268,7 +76608,7 @@ index fe0c682..93ec53f 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,33 +276,33 @@ template(`ssh_server_template', ` +@@ -243,33 +275,33 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) @@ -75313,7 +76653,7 @@ index fe0c682..93ec53f 100644 ') ######################################## -@@ -292,14 +325,15 @@ template(`ssh_server_template', ` +@@ -292,14 +324,15 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -75330,7 +76670,7 @@ index fe0c682..93ec53f 100644 ') ############################## -@@ -328,17 +362,20 @@ template(`ssh_role_template',` +@@ -328,17 +361,20 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -75352,7 +76692,7 @@ index fe0c682..93ec53f 100644 ############################## # -@@ -358,9 +395,10 @@ template(`ssh_role_template',` +@@ -358,9 +394,10 @@ template(`ssh_role_template',` # for ssh-add stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) @@ -75364,7 +76704,7 @@ index fe0c682..93ec53f 100644 # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -382,7 +420,6 @@ template(`ssh_role_template',` +@@ -382,7 +419,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -75372,7 +76712,7 @@ index fe0c682..93ec53f 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -394,28 +431,15 @@ template(`ssh_role_template',` +@@ -394,28 +430,15 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -75404,7 +76744,7 @@ index fe0c682..93ec53f 100644 optional_policy(` nis_use_ypbind($1_ssh_agent_t) -@@ -496,8 +520,27 @@ interface(`ssh_read_pipes',` +@@ -496,8 +519,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -75433,7 +76773,7 @@ index fe0c682..93ec53f 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -513,7 +556,7 @@ interface(`ssh_rw_pipes',` +@@ -513,7 +555,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -75442,7 +76782,7 @@ index fe0c682..93ec53f 100644 ') ######################################## -@@ -605,6 +648,24 @@ interface(`ssh_domtrans',` +@@ -605,6 +647,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -75467,7 +76807,7 @@ index fe0c682..93ec53f 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -637,7 +698,7 @@ interface(`ssh_setattr_key_files',` +@@ -637,7 +697,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -75476,7 +76816,7 @@ index fe0c682..93ec53f 100644 files_search_pids($1) ') -@@ -662,6 +723,42 @@ interface(`ssh_agent_exec',` +@@ -662,6 +722,42 @@ interface(`ssh_agent_exec',` ######################################## ## @@ -75519,7 +76859,7 @@ index fe0c682..93ec53f 100644 ## Read ssh home directory content ## ## -@@ -701,6 +798,50 @@ interface(`ssh_domtrans_keygen',` +@@ -701,6 +797,50 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -75570,7 +76910,7 @@ index fe0c682..93ec53f 100644 ## Read ssh server keys ## ## -@@ -714,7 +855,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -714,7 +854,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -75579,7 +76919,7 @@ index fe0c682..93ec53f 100644 ') ###################################### -@@ -754,3 +895,64 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +894,64 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -75645,7 +76985,7 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..47602cb 100644 +index b17e27a..5c691d1 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) @@ -75752,7 +77092,7 @@ index b17e27a..47602cb 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -108,32 +117,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -75782,7 +77122,11 @@ index b17e27a..47602cb 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) + +-corenet_all_recvfrom_unlabeled(ssh_t) + corenet_all_recvfrom_netlabel(ssh_t) + corenet_tcp_sendrecv_generic_if(ssh_t) + corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -75794,7 +77138,7 @@ index b17e27a..47602cb 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,37 +176,42 @@ logging_read_generic_logs(ssh_t) +@@ -157,37 +175,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -75855,7 +77199,7 @@ index b17e27a..47602cb 100644 ') optional_policy(` -@@ -195,28 +219,24 @@ optional_policy(` +@@ -195,28 +218,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -75888,7 +77232,7 @@ index b17e27a..47602cb 100644 ################################# # # sshd local policy -@@ -227,33 +247,48 @@ optional_policy(` +@@ -227,33 +246,48 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -75946,7 +77290,7 @@ index b17e27a..47602cb 100644 ') optional_policy(` -@@ -261,11 +296,24 @@ optional_policy(` +@@ -261,11 +295,24 @@ optional_policy(` ') optional_policy(` @@ -75972,7 +77316,7 @@ index b17e27a..47602cb 100644 ') optional_policy(` -@@ -283,6 +331,15 @@ optional_policy(` +@@ -283,6 +330,15 @@ optional_policy(` ') optional_policy(` @@ -75988,7 +77332,7 @@ index b17e27a..47602cb 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +347,29 @@ optional_policy(` +@@ -290,6 +346,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -76018,7 +77362,7 @@ index b17e27a..47602cb 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +378,26 @@ optional_policy(` +@@ -298,19 +377,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -76046,7 +77390,7 @@ index b17e27a..47602cb 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +414,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +413,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -76060,7 +77404,7 @@ index b17e27a..47602cb 100644 ') optional_policy(` -@@ -339,3 +428,83 @@ optional_policy(` +@@ -339,3 +427,83 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -77606,7 +78950,7 @@ index 130ced9..1b31c76 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index c4f7c35..06c447c 100644 +index c4f7c35..6efbf14 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -78044,7 +79388,7 @@ index c4f7c35..06c447c 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,18 +501,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +501,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -78070,9 +79414,11 @@ index c4f7c35..06c447c 100644 corecmd_exec_bin(xdm_t) +corecmd_dontaudit_access_all_executables(xdm_t) - corenet_all_recvfrom_unlabeled(xdm_t) +-corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) + corenet_tcp_sendrecv_generic_if(xdm_t) + corenet_udp_sendrecv_generic_if(xdm_t) +@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -78125,7 +79471,7 @@ index c4f7c35..06c447c 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +584,25 @@ files_list_mnt(xdm_t) +@@ -430,9 +583,25 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -78151,7 +79497,7 @@ index c4f7c35..06c447c 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -78193,7 +79539,7 @@ index c4f7c35..06c447c 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -78243,7 +79589,7 @@ index c4f7c35..06c447c 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -78265,7 +79611,7 @@ index c4f7c35..06c447c 100644 ') optional_policy(` -@@ -514,12 +723,64 @@ optional_policy(` +@@ -514,12 +722,64 @@ optional_policy(` ') optional_policy(` @@ -78330,7 +79676,7 @@ index c4f7c35..06c447c 100644 hostname_exec(xdm_t) ') -@@ -537,28 +798,69 @@ optional_policy(` +@@ -537,28 +797,69 @@ optional_policy(` ') optional_policy(` @@ -78409,7 +79755,7 @@ index c4f7c35..06c447c 100644 ') optional_policy(` -@@ -570,6 +872,14 @@ optional_policy(` +@@ -570,6 +871,14 @@ optional_policy(` ') optional_policy(` @@ -78424,7 +79770,7 @@ index c4f7c35..06c447c 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -78434,7 +79780,7 @@ index c4f7c35..06c447c 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -78450,7 +79796,7 @@ index c4f7c35..06c447c 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -78472,7 +79818,7 @@ index c4f7c35..06c447c 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +965,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -78480,7 +79826,13 @@ index c4f7c35..06c447c 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -667,23 +993,28 @@ dev_rw_apm_bios(xserver_t) + corecmd_exec_shell(xserver_t) + +-corenet_all_recvfrom_unlabeled(xserver_t) + corenet_all_recvfrom_netlabel(xserver_t) + corenet_tcp_sendrecv_generic_if(xserver_t) + corenet_udp_sendrecv_generic_if(xserver_t) +@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -78512,7 +79864,7 @@ index c4f7c35..06c447c 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -78526,7 +79878,7 @@ index c4f7c35..06c447c 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,8 +1044,6 @@ init_getpgid(xserver_t) +@@ -708,8 +1042,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -78535,7 +79887,7 @@ index c4f7c35..06c447c 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -717,11 +1051,12 @@ logging_send_audit_msgs(xserver_t) +@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -78550,7 +79902,7 @@ index c4f7c35..06c447c 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1110,40 @@ optional_policy(` +@@ -775,16 +1108,40 @@ optional_policy(` ') optional_policy(` @@ -78592,7 +79944,7 @@ index c4f7c35..06c447c 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1152,10 @@ optional_policy(` +@@ -793,6 +1150,10 @@ optional_policy(` ') optional_policy(` @@ -78603,7 +79955,7 @@ index c4f7c35..06c447c 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -78617,7 +79969,7 @@ index c4f7c35..06c447c 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -78626,7 +79978,7 @@ index c4f7c35..06c447c 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1195,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1193,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -78661,7 +80013,7 @@ index c4f7c35..06c447c 100644 ') optional_policy(` -@@ -859,6 +1217,10 @@ optional_policy(` +@@ -859,6 +1215,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -78672,7 +80024,7 @@ index c4f7c35..06c447c 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -78681,7 +80033,7 @@ index c4f7c35..06c447c 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1318,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -78713,7 +80065,7 @@ index c4f7c35..06c447c 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1364,43 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1362,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -78761,6 +80113,7 @@ index c4f7c35..06c447c 100644 + unconfined_getpgid(xserver_t) +') + ++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; +can_exec(xdm_t, xdm_unconfined_exec_t) + +optional_policy(` @@ -80276,7 +81629,7 @@ index 40eb10c..2a0a32c 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index b2e41cc..a9da830 100644 +index b2e41cc..f2d880c 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) @@ -80288,7 +81641,15 @@ index b2e41cc..a9da830 100644 # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t) +@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) + + files_read_kernel_modules(hotplug_t) + +-corenet_all_recvfrom_unlabeled(hotplug_t) + corenet_all_recvfrom_netlabel(hotplug_t) + corenet_tcp_sendrecv_generic_if(hotplug_t) + corenet_udp_sendrecv_generic_if(hotplug_t) +@@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t) # kernel threads inherit from shared descriptor table used by init init_dontaudit_rw_initctl(hotplug_t) @@ -80297,7 +81658,7 @@ index b2e41cc..a9da830 100644 logging_send_syslog_msg(hotplug_t) logging_search_logs(hotplug_t) -@@ -164,14 +166,6 @@ optional_policy(` +@@ -164,14 +165,6 @@ optional_policy(` ') optional_policy(` @@ -81482,7 +82843,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..d2c89ca 100644 +index 5fb9683..671de76 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -81909,7 +83270,7 @@ index 5fb9683..d2c89ca 100644 init_write_initctl(initrc_t) -@@ -265,20 +499,35 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -265,20 +499,34 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -81936,7 +83297,7 @@ index 5fb9683..d2c89ca 100644 corecmd_exec_all_executables(initrc_t) - corenet_all_recvfrom_unlabeled(initrc_t) +-corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -corenet_tcp_sendrecv_all_if(initrc_t) -corenet_udp_sendrecv_all_if(initrc_t) @@ -81949,7 +83310,7 @@ index 5fb9683..d2c89ca 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -286,6 +535,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -286,6 +534,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -81957,7 +83318,7 @@ index 5fb9683..d2c89ca 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -296,8 +546,10 @@ dev_write_framebuffer(initrc_t) +@@ -296,8 +545,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -81968,7 +83329,7 @@ index 5fb9683..d2c89ca 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -305,17 +557,16 @@ dev_manage_generic_files(initrc_t) +@@ -305,17 +556,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -81988,7 +83349,7 @@ index 5fb9683..d2c89ca 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -323,6 +574,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -323,6 +573,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -81996,7 +83357,7 @@ index 5fb9683..d2c89ca 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -330,8 +582,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -330,8 +581,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -82008,7 +83369,7 @@ index 5fb9683..d2c89ca 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -347,8 +601,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -347,8 +600,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -82022,7 +83383,7 @@ index 5fb9683..d2c89ca 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -358,9 +616,12 @@ fs_mount_all_fs(initrc_t) +@@ -358,9 +615,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -82036,7 +83397,7 @@ index 5fb9683..d2c89ca 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -370,6 +631,7 @@ mls_process_read_up(initrc_t) +@@ -370,6 +630,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -82044,7 +83405,7 @@ index 5fb9683..d2c89ca 100644 selinux_get_enforce_mode(initrc_t) -@@ -381,6 +643,7 @@ term_use_all_terms(initrc_t) +@@ -381,6 +642,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -82052,7 +83413,7 @@ index 5fb9683..d2c89ca 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -401,18 +664,17 @@ logging_read_audit_config(initrc_t) +@@ -401,18 +663,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -82074,7 +83435,7 @@ index 5fb9683..d2c89ca 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -465,6 +727,10 @@ ifdef(`distro_gentoo',` +@@ -465,6 +726,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -82085,7 +83446,7 @@ index 5fb9683..d2c89ca 100644 alsa_read_lib(initrc_t) ') -@@ -485,7 +751,7 @@ ifdef(`distro_redhat',` +@@ -485,7 +750,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -82094,7 +83455,7 @@ index 5fb9683..d2c89ca 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -500,6 +766,7 @@ ifdef(`distro_redhat',` +@@ -500,6 +765,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -82102,7 +83463,7 @@ index 5fb9683..d2c89ca 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -520,6 +787,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +786,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -82110,7 +83471,7 @@ index 5fb9683..d2c89ca 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -529,8 +797,35 @@ ifdef(`distro_redhat',` +@@ -529,8 +796,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -82146,7 +83507,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -538,14 +833,27 @@ ifdef(`distro_redhat',` +@@ -538,14 +832,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -82174,7 +83535,7 @@ index 5fb9683..d2c89ca 100644 ') ') -@@ -556,6 +864,39 @@ ifdef(`distro_suse',` +@@ -556,6 +863,39 @@ ifdef(`distro_suse',` ') ') @@ -82214,7 +83575,7 @@ index 5fb9683..d2c89ca 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -568,6 +909,8 @@ optional_policy(` +@@ -568,6 +908,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -82223,7 +83584,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -589,6 +932,7 @@ optional_policy(` +@@ -589,6 +931,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -82231,7 +83592,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -601,6 +945,17 @@ optional_policy(` +@@ -601,6 +944,17 @@ optional_policy(` ') optional_policy(` @@ -82249,7 +83610,7 @@ index 5fb9683..d2c89ca 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -617,9 +972,13 @@ optional_policy(` +@@ -617,9 +971,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -82263,7 +83624,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -644,6 +1003,10 @@ optional_policy(` +@@ -644,6 +1002,10 @@ optional_policy(` ') optional_policy(` @@ -82274,7 +83635,7 @@ index 5fb9683..d2c89ca 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -661,6 +1024,15 @@ optional_policy(` +@@ -661,6 +1023,15 @@ optional_policy(` ') optional_policy(` @@ -82290,7 +83651,7 @@ index 5fb9683..d2c89ca 100644 inn_exec_config(initrc_t) ') -@@ -701,6 +1073,7 @@ optional_policy(` +@@ -701,6 +1072,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -82298,7 +83659,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -718,7 +1091,13 @@ optional_policy(` +@@ -718,7 +1090,13 @@ optional_policy(` ') optional_policy(` @@ -82312,7 +83673,7 @@ index 5fb9683..d2c89ca 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -741,6 +1120,10 @@ optional_policy(` +@@ -741,6 +1119,10 @@ optional_policy(` ') optional_policy(` @@ -82323,7 +83684,7 @@ index 5fb9683..d2c89ca 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -750,10 +1133,20 @@ optional_policy(` +@@ -750,10 +1132,20 @@ optional_policy(` ') optional_policy(` @@ -82344,7 +83705,7 @@ index 5fb9683..d2c89ca 100644 quota_manage_flags(initrc_t) ') -@@ -762,6 +1155,10 @@ optional_policy(` +@@ -762,6 +1154,10 @@ optional_policy(` ') optional_policy(` @@ -82355,7 +83716,7 @@ index 5fb9683..d2c89ca 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -783,8 +1180,6 @@ optional_policy(` +@@ -783,8 +1179,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -82364,7 +83725,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -793,6 +1188,10 @@ optional_policy(` +@@ -793,6 +1187,10 @@ optional_policy(` ') optional_policy(` @@ -82375,7 +83736,7 @@ index 5fb9683..d2c89ca 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -802,10 +1201,12 @@ optional_policy(` +@@ -802,10 +1200,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -82388,7 +83749,7 @@ index 5fb9683..d2c89ca 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -817,7 +1218,6 @@ optional_policy(` +@@ -817,7 +1217,6 @@ optional_policy(` ') optional_policy(` @@ -82396,7 +83757,7 @@ index 5fb9683..d2c89ca 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -827,12 +1227,30 @@ optional_policy(` +@@ -827,12 +1226,30 @@ optional_policy(` ') optional_policy(` @@ -82429,7 +83790,7 @@ index 5fb9683..d2c89ca 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -842,6 +1260,18 @@ optional_policy(` +@@ -842,6 +1259,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -82448,7 +83809,7 @@ index 5fb9683..d2c89ca 100644 ') optional_policy(` -@@ -857,6 +1287,10 @@ optional_policy(` +@@ -857,6 +1286,10 @@ optional_policy(` ') optional_policy(` @@ -82459,7 +83820,7 @@ index 5fb9683..d2c89ca 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -867,3 +1301,165 @@ optional_policy(` +@@ -867,3 +1300,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -82681,7 +84042,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index fac0a01..002b264 100644 +index fac0a01..481ef57 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,13 +73,15 @@ role system_r types setkey_t; @@ -82701,10 +84062,11 @@ index fac0a01..002b264 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t) +@@ -127,20 +129,21 @@ corecmd_exec_shell(ipsec_t) + corecmd_exec_bin(ipsec_t) # Pluto needs network access - corenet_all_recvfrom_unlabeled(ipsec_t) +-corenet_all_recvfrom_unlabeled(ipsec_t) -corenet_tcp_sendrecv_all_if(ipsec_t) -corenet_raw_sendrecv_all_if(ipsec_t) -corenet_tcp_sendrecv_all_nodes(ipsec_t) @@ -82729,7 +84091,7 @@ index fac0a01..002b264 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -156,6 +159,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -82738,7 +84100,7 @@ index fac0a01..002b264 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -164,11 +170,14 @@ auth_use_nsswitch(ipsec_t) +@@ -164,11 +169,14 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -82753,7 +84115,7 @@ index fac0a01..002b264 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,9 +195,9 @@ optional_policy(` +@@ -186,9 +194,9 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -82766,7 +84128,7 @@ index fac0a01..002b264 100644 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -82783,7 +84145,7 @@ index fac0a01..002b264 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -82792,7 +84154,7 @@ index fac0a01..002b264 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -82804,7 +84166,7 @@ index fac0a01..002b264 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -297,7 +319,12 @@ sysnet_manage_config(ipsec_mgmt_t) +@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -82818,10 +84180,11 @@ index fac0a01..002b264 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,12 +397,12 @@ corecmd_exec_shell(racoon_t) +@@ -369,13 +395,12 @@ kernel_request_load_module(racoon_t) + corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) - corenet_all_recvfrom_unlabeled(racoon_t) +-corenet_all_recvfrom_unlabeled(racoon_t) -corenet_tcp_sendrecv_all_if(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) -corenet_tcp_sendrecv_all_nodes(racoon_t) @@ -82837,7 +84200,7 @@ index fac0a01..002b264 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -404,6 +431,8 @@ miscfiles_read_localization(racoon_t) +@@ -404,6 +429,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -82846,7 +84209,7 @@ index fac0a01..002b264 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -441,5 +470,6 @@ miscfiles_read_localization(setkey_t) +@@ -441,5 +468,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -83818,7 +85181,7 @@ index 9fd5be7..226328b 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..54c74fe 100644 +index 02f4c97..debdd69 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -6,6 +6,8 @@ @@ -83871,15 +85234,16 @@ index 02f4c97..54c74fe 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -46,6 +61,7 @@ ifdef(`distro_suse', ` +@@ -46,6 +61,8 @@ ifdef(`distro_suse', ` /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ++/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -54,6 +70,7 @@ ifndef(`distro_gentoo',` +@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',` ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) @@ -83887,7 +85251,7 @@ index 02f4c97..54c74fe 100644 ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -66,6 +83,7 @@ ifdef(`distro_redhat',` +@@ -66,6 +84,7 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -83895,7 +85259,7 @@ index 02f4c97..54c74fe 100644 /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -@@ -73,4 +91,9 @@ ifdef(`distro_redhat',` +@@ -73,4 +92,9 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -83906,7 +85270,7 @@ index 02f4c97..54c74fe 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..9de21c2 100644 +index 321bb13..7b4e560 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -84218,7 +85582,7 @@ index 321bb13..9de21c2 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1048,3 +1260,25 @@ interface(`logging_admin',` +@@ -1048,3 +1260,29 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -84237,15 +85601,19 @@ index 321bb13..9de21c2 100644 + gen_require(` + type var_log_t; + type audit_spool_t; ++ type syslogd_var_run_t; + ') + -+ files_var_filetrans($1, var_log_t, dir, "webmin") ++ files_pid_filetrans($1, syslogd_var_run_t, dir, "log") + files_spool_filetrans($1, var_log_t, dir, "rsyslog") + files_spool_filetrans($1, var_log_t, dir, "log") + files_spool_filetrans($1, audit_spool_t, dir, "audit") ++ files_var_filetrans($1, var_log_t, dir, "webmin") ++ ++ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 92555db..0b2acb1 100644 +index 92555db..3637166 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -5,6 +5,20 @@ policy_module(logging, 1.18.2) @@ -84321,7 +85689,15 @@ index 92555db..0b2acb1 100644 dev_read_sysfs(auditd_t) -@@ -183,16 +205,19 @@ logging_send_syslog_msg(auditd_t) +@@ -157,7 +179,6 @@ fs_rw_anon_inodefs_files(auditd_t) + + selinux_search_fs(auditctl_t) + +-corenet_all_recvfrom_unlabeled(auditd_t) + corenet_all_recvfrom_netlabel(auditd_t) + corenet_tcp_sendrecv_generic_if(auditd_t) + corenet_tcp_sendrecv_generic_node(auditd_t) +@@ -183,16 +204,19 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -84342,7 +85718,7 @@ index 92555db..0b2acb1 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,10 +262,17 @@ corecmd_exec_shell(audisp_t) +@@ -237,10 +261,17 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -84360,7 +85736,7 @@ index 92555db..0b2acb1 100644 logging_send_syslog_msg(audisp_t) -@@ -250,6 +282,10 @@ sysnet_dns_name_resolve(audisp_t) +@@ -250,6 +281,10 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -84371,7 +85747,15 @@ index 92555db..0b2acb1 100644 ') ######################################## -@@ -280,11 +316,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) + + corecmd_exec_bin(audisp_remote_t) + +-corenet_all_recvfrom_unlabeled(audisp_remote_t) + corenet_all_recvfrom_netlabel(audisp_remote_t) + corenet_tcp_sendrecv_generic_if(audisp_remote_t) + corenet_tcp_sendrecv_generic_node(audisp_remote_t) +@@ -280,11 +314,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -84392,7 +85776,7 @@ index 92555db..0b2acb1 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -354,12 +399,12 @@ optional_policy(` +@@ -354,12 +397,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -84408,7 +85792,7 @@ index 92555db..0b2acb1 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -377,6 +422,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -377,6 +420,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -84416,7 +85800,7 @@ index 92555db..0b2acb1 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,9 +432,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,9 +430,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -84432,18 +85816,19 @@ index 92555db..0b2acb1 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -401,6 +453,10 @@ kernel_read_messages(syslogd_t) +@@ -401,7 +451,10 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +-corenet_all_recvfrom_unlabeled(syslogd_t) +ifdef(`hide_broken_symptoms',` + kernel_rw_unix_dgram_sockets(syslogd_t) +') + - corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) -@@ -427,10 +483,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) + corenet_udp_sendrecv_generic_node(syslogd_t) +@@ -427,10 +480,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -84471,7 +85856,7 @@ index 92555db..0b2acb1 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,7 +521,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and +@@ -448,7 +518,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -84481,7 +85866,7 @@ index 92555db..0b2acb1 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -460,6 +535,7 @@ init_use_fds(syslogd_t) +@@ -460,6 +532,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -84489,7 +85874,7 @@ index 92555db..0b2acb1 100644 miscfiles_read_localization(syslogd_t) -@@ -493,15 +569,29 @@ optional_policy(` +@@ -493,15 +566,29 @@ optional_policy(` ') optional_policy(` @@ -84730,7 +86115,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 7b6bcb9..cafc3af 100644 +index 7b6bcb9..61aa1ce 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -84770,7 +86155,15 @@ index 7b6bcb9..cafc3af 100644 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) -@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` +@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) + corecmd_exec_shell(clvmd_t) + corecmd_getattr_bin_files(clvmd_t) + +-corenet_all_recvfrom_unlabeled(clvmd_t) + corenet_all_recvfrom_netlabel(clvmd_t) + corenet_tcp_sendrecv_generic_if(clvmd_t) + corenet_udp_sendrecv_generic_if(clvmd_t) +@@ -141,6 +146,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -84782,7 +86175,7 @@ index 7b6bcb9..cafc3af 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +180,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -84790,7 +86183,7 @@ index 7b6bcb9..cafc3af 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,8 +202,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -84801,7 +86194,7 @@ index 7b6bcb9..cafc3af 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -200,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -200,8 +212,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -84812,7 +86205,7 @@ index 7b6bcb9..cafc3af 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -213,11 +227,13 @@ files_search_mnt(lvm_t) +@@ -213,11 +226,13 @@ files_search_mnt(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) @@ -84826,7 +86219,7 @@ index 7b6bcb9..cafc3af 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -228,11 +244,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -228,11 +243,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -84841,7 +86234,7 @@ index 7b6bcb9..cafc3af 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -244,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -84849,7 +86242,7 @@ index 7b6bcb9..cafc3af 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t) +@@ -253,17 +271,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -84872,7 +86265,7 @@ index 7b6bcb9..cafc3af 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -283,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -84881,7 +86274,7 @@ index 7b6bcb9..cafc3af 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -292,6 +315,8 @@ init_read_script_state(lvm_t) +@@ -292,6 +314,8 @@ init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -84890,7 +86283,7 @@ index 7b6bcb9..cafc3af 100644 miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) -@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t) +@@ -299,7 +323,10 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -84901,7 +86294,7 @@ index 7b6bcb9..cafc3af 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -311,6 +339,11 @@ ifdef(`distro_redhat',` +@@ -311,6 +338,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -84913,7 +86306,7 @@ index 7b6bcb9..cafc3af 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +364,27 @@ optional_policy(` +@@ -331,14 +363,27 @@ optional_policy(` ') optional_policy(` @@ -85730,7 +87123,7 @@ index 4584457..5b041ee 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6d3b14b..a810a6b 100644 +index 6d3b14b..31dac3e 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.14.2) @@ -85946,7 +87339,7 @@ index 6d3b14b..a810a6b 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +217,28 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -85963,7 +87356,7 @@ index 6d3b14b..a810a6b 100644 optional_policy(` # for nfs - corenet_all_recvfrom_unlabeled(mount_t) +- corenet_all_recvfrom_unlabeled(mount_t) corenet_all_recvfrom_netlabel(mount_t) - corenet_tcp_sendrecv_all_if(mount_t) - corenet_raw_sendrecv_all_if(mount_t) @@ -85986,7 +87379,7 @@ index 6d3b14b..a810a6b 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +252,8 @@ optional_policy(` +@@ -179,6 +251,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -85995,7 +87388,7 @@ index 6d3b14b..a810a6b 100644 ') optional_policy(` -@@ -186,6 +261,28 @@ optional_policy(` +@@ -186,6 +260,28 @@ optional_policy(` ') optional_policy(` @@ -86024,7 +87417,7 @@ index 6d3b14b..a810a6b 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +290,124 @@ optional_policy(` +@@ -193,21 +289,123 @@ optional_policy(` ') ') @@ -86106,7 +87499,6 @@ index 6d3b14b..a810a6b 100644 + +kernel_read_system_state(showmount_t) + -+corenet_all_recvfrom_unlabeled(showmount_t) +corenet_all_recvfrom_netlabel(showmount_t) +corenet_tcp_sendrecv_generic_if(showmount_t) +corenet_udp_sendrecv_generic_if(showmount_t) @@ -87395,7 +88787,7 @@ index 346a7cc..1285089 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 41a1853..f79ad37 100644 +index 41a1853..32a502e 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` @@ -87607,7 +88999,15 @@ index 41a1853..f79ad37 100644 ## Read the DHCP configuration files. ## ## -@@ -673,6 +826,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -662,7 +815,6 @@ interface(`sysnet_dns_name_resolve',` + allow $1 self:udp_socket create_socket_perms; + allow $1 self:netlink_route_socket r_netlink_socket_perms; + +- corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) +@@ -673,6 +825,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -87616,7 +89016,15 @@ index 41a1853..f79ad37 100644 sysnet_read_config($1) optional_policy(` -@@ -714,6 +869,9 @@ interface(`sysnet_use_ldap',` +@@ -701,7 +855,6 @@ interface(`sysnet_use_ldap',` + + allow $1 self:tcp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) +@@ -714,6 +867,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -87626,7 +89034,7 @@ index 41a1853..f79ad37 100644 ') ######################################## -@@ -747,3 +905,73 @@ interface(`sysnet_use_portmap',` +@@ -747,3 +903,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -87701,7 +89109,7 @@ index 41a1853..f79ad37 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 8aed9d0..6a6f03f 100644 +index 8aed9d0..fdabb76 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.13.2) @@ -87777,9 +89185,11 @@ index 8aed9d0..6a6f03f 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -92,25 +108,28 @@ corecmd_exec_shell(dhcpc_t) +@@ -90,27 +106,29 @@ kernel_rw_net_sysctls(dhcpc_t) + corecmd_exec_bin(dhcpc_t) + corecmd_exec_shell(dhcpc_t) - corenet_all_recvfrom_unlabeled(dhcpc_t) +-corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) -corenet_tcp_sendrecv_all_if(dhcpc_t) -corenet_raw_sendrecv_all_if(dhcpc_t) @@ -87814,7 +89224,7 @@ index 8aed9d0..6a6f03f 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,15 +149,21 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -130,15 +148,21 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -87838,7 +89248,7 @@ index 8aed9d0..6a6f03f 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -153,8 +178,19 @@ ifdef(`distro_ubuntu',` +@@ -153,8 +177,19 @@ ifdef(`distro_ubuntu',` ') ') @@ -87859,7 +89269,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -169,11 +205,14 @@ optional_policy(` +@@ -169,11 +204,14 @@ optional_policy(` ') optional_policy(` @@ -87875,7 +89285,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -187,25 +226,41 @@ optional_policy(` +@@ -187,25 +225,41 @@ optional_policy(` # for the dhcp client to run ping to check IP addresses optional_policy(` @@ -87919,7 +89329,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -216,6 +271,11 @@ optional_policy(` +@@ -216,6 +270,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -87931,7 +89341,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -258,6 +318,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -258,6 +317,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -87939,7 +89349,7 @@ index 8aed9d0..6a6f03f 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,11 +337,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -276,11 +336,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -87957,7 +89367,7 @@ index 8aed9d0..6a6f03f 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -293,7 +360,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -293,7 +359,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -87966,7 +89376,7 @@ index 8aed9d0..6a6f03f 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -304,11 +371,11 @@ logging_send_syslog_msg(ifconfig_t) +@@ -304,11 +370,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -87981,7 +89391,7 @@ index 8aed9d0..6a6f03f 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -317,7 +384,22 @@ ifdef(`distro_ubuntu',` +@@ -317,7 +383,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -88004,7 +89414,7 @@ index 8aed9d0..6a6f03f 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -328,8 +410,14 @@ ifdef(`hide_broken_symptoms',` +@@ -328,8 +409,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -88019,7 +89429,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -338,7 +426,15 @@ optional_policy(` +@@ -338,7 +425,15 @@ optional_policy(` ') optional_policy(` @@ -88036,7 +89446,7 @@ index 8aed9d0..6a6f03f 100644 ') optional_policy(` -@@ -359,3 +455,9 @@ optional_policy(` +@@ -359,3 +454,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -88048,10 +89458,10 @@ index 8aed9d0..6a6f03f 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..161f271 +index 0000000..365de83 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,23 @@ +@@ -0,0 +1,24 @@ +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) @@ -88072,15 +89482,16 @@ index 0000000..161f271 +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) ++/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..6a29fb0 +index 0000000..40fe8f5 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,698 @@ +@@ -0,0 +1,734 @@ +## SELinux policy for systemd components + +####################################### @@ -88350,6 +89761,24 @@ index 0000000..6a29fb0 + allow $1 systemd_logind_sessions_t:fifo_file write; +') + ++###################################### ++## ++## Write systemd inhibit pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_write_inhibit_pipes',` ++ gen_require(` ++ type systemd_logind_inhibit_var_run_t; ++ ') ++ ++ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; ++') ++ +######################################## +## +## Send and receive messages from @@ -88727,6 +90156,24 @@ index 0000000..6a29fb0 + +######################################## +## ++## Send systemd_login a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_signull',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:process signull; ++') ++ ++######################################## ++## +## Tell systemd_login to reboot the system. +## +## @@ -88781,10 +90228,10 @@ index 0000000..6a29fb0 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..bd7cbee +index 0000000..93c10a9 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,427 @@ +@@ -0,0 +1,439 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -88812,6 +90259,9 @@ index 0000000..bd7cbee +type systemd_logind_var_run_t; +files_pid_file(systemd_logind_var_run_t) + ++type systemd_logind_inhibit_var_run_t; ++files_pid_file(systemd_logind_inhibit_var_run_t) ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -88855,6 +90305,13 @@ index 0000000..bd7cbee +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t }) +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions") +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) ++ ++manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) ++init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") ++ +init_status(systemd_logind_t) +init_signal(systemd_logind_t) +init_reboot(systemd_logind_t) @@ -88995,6 +90452,8 @@ index 0000000..bd7cbee +init_read_utmp(systemd_passwd_agent_t) +init_stream_connect(systemd_passwd_agent_t) + ++logging_send_syslog_msg(systemd_passwd_agent_t) ++ +miscfiles_read_localization(systemd_passwd_agent_t) + +userdom_use_user_ptys(systemd_passwd_agent_t) @@ -90551,7 +92010,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..bb468a3 100644 +index e720dcd..7ce85d3 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -90567,7 +92026,7 @@ index e720dcd..bb468a3 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` +@@ -44,79 +46,133 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -90723,6 +92182,7 @@ index e720dcd..bb468a3 100644 - tunable_policy(`allow_execmem',` + systemd_dbus_chat_logind($1_usertype) + systemd_read_logind_sessions_files($1_usertype) ++ systemd_write_inhibit_pipes($1_usertype) + + tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. @@ -90751,7 +92211,7 @@ index e720dcd..bb468a3 100644 ') ####################################### -@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` +@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -90760,7 +92220,7 @@ index e720dcd..bb468a3 100644 ############################## # # Domain access to home dir -@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` +@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -90788,7 +92248,7 @@ index e720dcd..bb468a3 100644 ') ####################################### -@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` +@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -90800,7 +92260,7 @@ index e720dcd..bb468a3 100644 ############################## # # Domain access to home dir -@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',` +@@ -229,43 +269,47 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -90864,7 +92324,7 @@ index e720dcd..bb468a3 100644 ') ') -@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +317,25 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -90890,7 +92350,7 @@ index e720dcd..bb468a3 100644 ## ## ## Role allowed access. -@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +350,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -90960,7 +92420,7 @@ index e720dcd..bb468a3 100644 ') ####################################### -@@ -317,6 +426,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,6 +427,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -90968,7 +92428,7 @@ index e720dcd..bb468a3 100644 files_search_tmp($1) ') -@@ -348,59 +458,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -348,59 +459,61 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -91019,7 +92479,8 @@ index e720dcd..bb468a3 100644 - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -- ++interface(`userdom_basic_networking',` + - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) @@ -91030,14 +92491,10 @@ index e720dcd..bb468a3 100644 - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- -- corenet_all_recvfrom_labeled($1_t, $1_t) -+interface(`userdom_basic_networking',` -+ + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; -+ -+ corenet_all_recvfrom_unlabeled($1) + +- corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) @@ -91226,15 +92683,15 @@ index e720dcd..bb468a3 100644 - alsa_relabel_home_files($1_t) + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + chrome_role($1_r, $1_usertype) ') @@ -91394,30 +92851,30 @@ index e720dcd..bb468a3 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ slrnpull_search_spool($1_usertype) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') @@ -91435,15 +92892,15 @@ index e720dcd..bb468a3 100644 + typeattribute $1_t login_userdomain; + + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) -+ + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -91545,51 +93002,51 @@ index e720dcd..bb468a3 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ + +- seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -+ -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') - -- seutil_read_config($1_t) -+ optional_policy(` -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) -+ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ mysql_filetrans_named_content($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ mysql_filetrans_named_content($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) ++ quota_dontaudit_getattr_db($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') @@ -91806,9 +93263,11 @@ index e720dcd..bb468a3 100644 + + optional_policy(` + games_rw_data($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + gpg_role($1_r, $1_usertype) + ') + @@ -91827,11 +93286,9 @@ index e720dcd..bb468a3 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') @@ -92037,7 +93494,7 @@ index e720dcd..bb468a3 100644 ') ######################################## -@@ -1363,9 +1728,54 @@ interface(`userdom_user_tmpfs_file',` +@@ -1363,13 +1728,58 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -92047,9 +93504,10 @@ index e720dcd..bb468a3 100644 -## Domain allowed access. +## Type to be used as a file in the +## generic temporary directory. -+## -+## -+# + ## + ## + # +-interface(`userdom_attach_admin_tun_iface',` +interface(`userdom_user_tmp_content',` + gen_require(` + attribute user_tmp_type; @@ -92091,9 +93549,13 @@ index e720dcd..bb468a3 100644 +## +## +## Domain allowed access. - ## - ## - # ++## ++## ++# ++interface(`userdom_attach_admin_tun_iface',` + gen_require(` + attribute admindomain; + ') @@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',` ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index b25522a..dc3dbcd 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..9522c1a 100644 +index 30861ec..981df33 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -452,7 +452,15 @@ index 30861ec..9522c1a 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +170,8 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -93,7 +159,6 @@ corecmd_exec_shell(abrt_t) + corecmd_read_all_executables(abrt_t) + + corenet_all_recvfrom_netlabel(abrt_t) +-corenet_all_recvfrom_unlabeled(abrt_t) + corenet_tcp_sendrecv_generic_if(abrt_t) + corenet_tcp_sendrecv_generic_node(abrt_t) + corenet_tcp_sendrecv_generic_port(abrt_t) +@@ -104,6 +169,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -461,7 +469,7 @@ index 30861ec..9522c1a 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +181,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +180,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -471,7 +479,7 @@ index 30861ec..9522c1a 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +190,9 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +189,9 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -481,7 +489,7 @@ index 30861ec..9522c1a 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +203,31 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +202,31 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -518,7 +526,7 @@ index 30861ec..9522c1a 100644 ') optional_policy(` -@@ -167,6 +248,7 @@ optional_policy(` +@@ -167,6 +247,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -526,7 +534,7 @@ index 30861ec..9522c1a 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,9 +260,32 @@ optional_policy(` +@@ -178,9 +259,32 @@ optional_policy(` ') optional_policy(` @@ -559,7 +567,7 @@ index 30861ec..9522c1a 100644 ######################################## # # abrt--helper local policy -@@ -200,23 +305,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -588,7 +596,7 @@ index 30861ec..9522c1a 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +328,146 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -988,7 +996,7 @@ index 8559cdc..641044e 100644 # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) diff --git a/afs.te b/afs.te -index a496fde..859f4cf 100644 +index a496fde..e4b761b 100644 --- a/afs.te +++ b/afs.te @@ -71,6 +71,7 @@ role system_r types afs_vlserver_t; @@ -999,7 +1007,15 @@ index a496fde..859f4cf 100644 allow afs_t self:process { setsched signal }; allow afs_t self:udp_socket create_socket_perms; allow afs_t self:fifo_file rw_file_perms; -@@ -107,6 +108,10 @@ miscfiles_read_localization(afs_t) +@@ -82,7 +83,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) + + kernel_rw_afs_state(afs_t) + +-corenet_all_recvfrom_unlabeled(afs_t) + corenet_all_recvfrom_netlabel(afs_t) + corenet_tcp_sendrecv_generic_if(afs_t) + corenet_udp_sendrecv_generic_if(afs_t) +@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t) sysnet_dns_name_resolve(afs_t) @@ -1010,6 +1026,46 @@ index a496fde..859f4cf 100644 ######################################## # # AFS bossserver local policy +@@ -140,7 +144,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) + + kernel_read_kernel_sysctls(afs_bosserver_t) + +-corenet_all_recvfrom_unlabeled(afs_bosserver_t) + corenet_all_recvfrom_netlabel(afs_bosserver_t) + corenet_tcp_sendrecv_generic_if(afs_bosserver_t) + corenet_udp_sendrecv_generic_if(afs_bosserver_t) +@@ -202,7 +205,6 @@ corenet_tcp_sendrecv_generic_node(afs_fsserver_t) + corenet_udp_sendrecv_generic_node(afs_fsserver_t) + corenet_tcp_sendrecv_all_ports(afs_fsserver_t) + corenet_udp_sendrecv_all_ports(afs_fsserver_t) +-corenet_all_recvfrom_unlabeled(afs_fsserver_t) + corenet_all_recvfrom_netlabel(afs_fsserver_t) + corenet_tcp_bind_generic_node(afs_fsserver_t) + corenet_udp_bind_generic_node(afs_fsserver_t) +@@ -252,7 +254,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) + + kernel_read_kernel_sysctls(afs_kaserver_t) + +-corenet_all_recvfrom_unlabeled(afs_kaserver_t) + corenet_all_recvfrom_netlabel(afs_kaserver_t) + corenet_tcp_sendrecv_generic_if(afs_kaserver_t) + corenet_udp_sendrecv_generic_if(afs_kaserver_t) +@@ -296,7 +297,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) + filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) + +-corenet_all_recvfrom_unlabeled(afs_ptserver_t) + corenet_all_recvfrom_netlabel(afs_ptserver_t) + corenet_tcp_sendrecv_generic_if(afs_ptserver_t) + corenet_udp_sendrecv_generic_if(afs_ptserver_t) +@@ -334,7 +334,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) + filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) + +-corenet_all_recvfrom_unlabeled(afs_vlserver_t) + corenet_all_recvfrom_netlabel(afs_vlserver_t) + corenet_tcp_sendrecv_generic_if(afs_vlserver_t) + corenet_udp_sendrecv_generic_if(afs_vlserver_t) diff --git a/aiccu.if b/aiccu.if index 184c9a8..8f77bf5 100644 --- a/aiccu.if @@ -1030,13 +1086,14 @@ index 184c9a8..8f77bf5 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 6d685ba..b6f9ba3 100644 +index 6d685ba..df6924b 100644 --- a/aiccu.te +++ b/aiccu.te -@@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t) +@@ -44,10 +44,11 @@ kernel_read_system_state(aiccu_t) + corecmd_exec_shell(aiccu_t) corenet_all_recvfrom_netlabel(aiccu_t) - corenet_all_recvfrom_unlabeled(aiccu_t) +-corenet_all_recvfrom_unlabeled(aiccu_t) +corenet_tcp_bind_generic_node(aiccu_t) corenet_tcp_sendrecv_generic_if(aiccu_t) corenet_tcp_sendrecv_generic_node(aiccu_t) @@ -1045,7 +1102,7 @@ index 6d685ba..b6f9ba3 100644 corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) corenet_tcp_bind_generic_node(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) -@@ -62,6 +64,8 @@ dev_read_urand(aiccu_t) +@@ -62,6 +63,8 @@ dev_read_urand(aiccu_t) files_read_etc_files(aiccu_t) @@ -1463,7 +1520,7 @@ index dc1b088..d1f2a62 100644 term_dontaudit_use_console(alsa_t) diff --git a/amanda.te b/amanda.te -index bec220e..1d26add 100644 +index bec220e..f0cf404 100644 --- a/amanda.te +++ b/amanda.te @@ -58,7 +58,7 @@ optional_policy(` @@ -1483,7 +1540,15 @@ index bec220e..1d26add 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -120,7 +121,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) + corecmd_exec_shell(amanda_t) + corecmd_exec_bin(amanda_t) + +-corenet_all_recvfrom_unlabeled(amanda_t) + corenet_all_recvfrom_netlabel(amanda_t) + corenet_tcp_sendrecv_generic_if(amanda_t) + corenet_udp_sendrecv_generic_if(amanda_t) +@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -1491,7 +1556,15 @@ index bec220e..1d26add 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) files_read_all_files(amanda_t) -@@ -193,7 +193,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t) +@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t) + corecmd_exec_shell(amanda_recover_t) + corecmd_exec_bin(amanda_recover_t) + +-corenet_all_recvfrom_unlabeled(amanda_recover_t) + corenet_all_recvfrom_netlabel(amanda_recover_t) + corenet_tcp_sendrecv_generic_if(amanda_recover_t) + corenet_udp_sendrecv_generic_if(amanda_recover_t) +@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t) domain_use_interactive_fds(amanda_recover_t) @@ -1499,7 +1572,7 @@ index bec220e..1d26add 100644 files_read_etc_runtime_files(amanda_recover_t) files_search_tmp(amanda_recover_t) files_search_pids(amanda_recover_t) -@@ -207,5 +206,10 @@ logging_search_logs(amanda_recover_t) +@@ -207,5 +204,10 @@ logging_search_logs(amanda_recover_t) miscfiles_read_localization(amanda_recover_t) @@ -1563,10 +1636,24 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..e36eab0 100644 +index 5a9b451..94d9048 100644 --- a/amavis.te +++ b/amavis.te -@@ -38,7 +38,7 @@ type amavis_quarantine_t; +@@ -5,6 +5,13 @@ policy_module(amavis, 1.13.1) + # Declarations + # + ++## ++##

++## Allow amavis to use JIT compiler ++##

++##
++gen_tunable(amavis_use_jit, false) ++ + type amavis_t; + type amavis_exec_t; + domain_type(amavis_t) +@@ -38,7 +45,7 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -1575,7 +1662,7 @@ index 5a9b451..e36eab0 100644 ######################################## # -@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; +@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process { signal sigchld sigkill signull }; allow amavis_t self:fifo_file rw_fifo_file_perms; @@ -1584,7 +1671,7 @@ index 5a9b451..e36eab0 100644 allow amavis_t self:unix_dgram_socket create_socket_perms; allow amavis_t self:tcp_socket { listen accept }; allow amavis_t self:netlink_route_socket r_netlink_socket_perms; -@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) +@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) files_search_spool(amavis_t) # tmp files @@ -1597,7 +1684,15 @@ index 5a9b451..e36eab0 100644 # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -125,20 +127,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) +@@ -107,7 +116,6 @@ kernel_dontaudit_read_system_state(amavis_t) + corecmd_exec_bin(amavis_t) + corecmd_exec_shell(amavis_t) + +-corenet_all_recvfrom_unlabeled(amavis_t) + corenet_all_recvfrom_netlabel(amavis_t) + corenet_tcp_sendrecv_generic_if(amavis_t) + corenet_tcp_sendrecv_generic_node(amavis_t) +@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) corenet_udp_bind_generic_port(amavis_t) corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -1623,7 +1718,7 @@ index 5a9b451..e36eab0 100644 # uses uptime which reads utmp - redhat bug 561383 init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) -@@ -148,21 +154,21 @@ logging_send_syslog_msg(amavis_t) +@@ -148,21 +160,27 @@ logging_send_syslog_msg(amavis_t) miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) @@ -1638,7 +1733,12 @@ index 5a9b451..e36eab0 100644 -cron_rw_pipes(amavis_t) - -mta_read_config(amavis_t) -- ++tunable_policy(`amavis_use_jit',` ++ allow amavis_t self:process execmem; ++',` ++ dontaudit amavis_t self:process execmem; ++') + optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) @@ -1653,7 +1753,7 @@ index 5a9b451..e36eab0 100644 ') optional_policy(` -@@ -171,11 +177,16 @@ optional_policy(` +@@ -171,11 +189,16 @@ optional_policy(` ') optional_policy(` @@ -1670,7 +1770,7 @@ index 5a9b451..e36eab0 100644 ') optional_policy(` -@@ -188,6 +199,10 @@ optional_policy(` +@@ -188,6 +211,10 @@ optional_policy(` ') optional_policy(` @@ -2622,7 +2722,7 @@ index 6480167..d30bdbf 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index a36a01d..8ce7893 100644 +index a36a01d..8203991 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) @@ -2963,7 +3063,7 @@ index a36a01d..8ce7893 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -2971,9 +3071,11 @@ index a36a01d..8ce7893 100644 +kernel_read_network_state(httpd_t) +kernel_search_network_sysctl(httpd_t) - corenet_all_recvfrom_unlabeled(httpd_t) +-corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) + corenet_tcp_sendrecv_generic_if(httpd_t) + corenet_udp_sendrecv_generic_if(httpd_t) +@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -2994,7 +3096,7 @@ index a36a01d..8ce7893 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3009,7 +3111,7 @@ index a36a01d..8ce7893 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -398,59 +575,112 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -398,59 +574,112 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -3127,7 +3229,7 @@ index a36a01d..8ce7893 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +690,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3191,7 +3293,7 @@ index a36a01d..8ce7893 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +754,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3214,7 +3316,7 @@ index a36a01d..8ce7893 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +789,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3235,7 +3337,7 @@ index a36a01d..8ce7893 100644 ') optional_policy(` -@@ -525,6 +814,9 @@ optional_policy(` +@@ -525,6 +813,9 @@ optional_policy(` ') optional_policy(` @@ -3245,7 +3347,7 @@ index a36a01d..8ce7893 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +832,24 @@ optional_policy(` +@@ -540,6 +831,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3270,7 +3372,7 @@ index a36a01d..8ce7893 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +859,24 @@ optional_policy(` +@@ -549,13 +858,24 @@ optional_policy(` ') optional_policy(` @@ -3296,7 +3398,7 @@ index a36a01d..8ce7893 100644 ') optional_policy(` -@@ -568,7 +889,21 @@ optional_policy(` +@@ -568,7 +888,21 @@ optional_policy(` ') optional_policy(` @@ -3318,7 +3420,7 @@ index a36a01d..8ce7893 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -579,6 +914,7 @@ optional_policy(` +@@ -579,6 +913,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3326,7 +3428,7 @@ index a36a01d..8ce7893 100644 ') optional_policy(` -@@ -589,6 +925,33 @@ optional_policy(` +@@ -589,6 +924,33 @@ optional_policy(` ') optional_policy(` @@ -3360,7 +3462,7 @@ index a36a01d..8ce7893 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -603,6 +966,11 @@ optional_policy(` +@@ -603,6 +965,11 @@ optional_policy(` ') optional_policy(` @@ -3372,7 +3474,7 @@ index a36a01d..8ce7893 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -615,6 +983,12 @@ optional_policy(` +@@ -615,6 +982,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3385,7 +3487,7 @@ index a36a01d..8ce7893 100644 ######################################## # # Apache helper local policy -@@ -628,7 +1002,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -628,7 +1001,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3398,7 +3500,7 @@ index a36a01d..8ce7893 100644 ######################################## # -@@ -666,28 +1044,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -666,28 +1043,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3442,7 +3544,7 @@ index a36a01d..8ce7893 100644 ') ######################################## -@@ -697,6 +1077,7 @@ optional_policy(` +@@ -697,6 +1076,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3450,7 +3552,7 @@ index a36a01d..8ce7893 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -711,19 +1092,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -711,19 +1091,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3479,7 +3581,15 @@ index a36a01d..8ce7893 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -752,13 +1141,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,7 +1128,6 @@ tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(httpd_suexec_t) + corenet_all_recvfrom_netlabel(httpd_suexec_t) + corenet_tcp_sendrecv_generic_if(httpd_suexec_t) + corenet_udp_sendrecv_generic_if(httpd_suexec_t) +@@ -752,13 +1139,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3512,7 +3622,7 @@ index a36a01d..8ce7893 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -781,6 +1188,25 @@ optional_policy(` +@@ -781,6 +1186,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3538,7 +3648,7 @@ index a36a01d..8ce7893 100644 ######################################## # # Apache system script local policy -@@ -801,12 +1227,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -801,12 +1225,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3556,7 +3666,7 @@ index a36a01d..8ce7893 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -815,18 +1246,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -815,18 +1244,49 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -3598,9 +3708,9 @@ index a36a01d..8ce7893 100644 - corenet_tcp_bind_all_nodes(httpd_sys_script_t) - corenet_udp_bind_all_nodes(httpd_sys_script_t) +- corenet_all_recvfrom_unlabeled(httpd_sys_script_t) + corenet_tcp_bind_generic_node(httpd_sys_script_t) + corenet_udp_bind_generic_node(httpd_sys_script_t) - corenet_all_recvfrom_unlabeled(httpd_sys_script_t) corenet_all_recvfrom_netlabel(httpd_sys_script_t) - corenet_tcp_sendrecv_all_if(httpd_sys_script_t) - corenet_udp_sendrecv_all_if(httpd_sys_script_t) @@ -3613,7 +3723,7 @@ index a36a01d..8ce7893 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -834,14 +1297,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -834,14 +1294,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -3654,7 +3764,7 @@ index a36a01d..8ce7893 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,10 +1342,20 @@ optional_policy(` +@@ -854,10 +1339,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -3675,7 +3785,7 @@ index a36a01d..8ce7893 100644 ') ######################################## -@@ -873,7 +1371,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -873,7 +1368,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -3683,7 +3793,7 @@ index a36a01d..8ce7893 100644 logging_search_logs(httpd_rotatelogs_t) -@@ -903,11 +1400,144 @@ optional_policy(` +@@ -903,11 +1397,144 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -3916,7 +4026,7 @@ index e342775..1fedbe5 100644 + allow $1 apcupsd_unit_file_t:service all_service_perms; ') diff --git a/apcupsd.te b/apcupsd.te -index d052bf0..6c7828b 100644 +index d052bf0..08bd1c9 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) @@ -3929,7 +4039,15 @@ index d052bf0..6c7828b 100644 ######################################## # # apcupsd local policy -@@ -76,24 +79,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file) +@@ -53,7 +56,6 @@ kernel_read_system_state(apcupsd_t) + corecmd_exec_bin(apcupsd_t) + corecmd_exec_shell(apcupsd_t) + +-corenet_all_recvfrom_unlabeled(apcupsd_t) + corenet_all_recvfrom_netlabel(apcupsd_t) + corenet_tcp_sendrecv_generic_if(apcupsd_t) + corenet_tcp_sendrecv_generic_node(apcupsd_t) +@@ -76,24 +78,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file) # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 term_use_unallocated_ttys(apcupsd_t) @@ -3962,6 +4080,14 @@ index d052bf0..6c7828b 100644 mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') +@@ -113,7 +122,6 @@ optional_policy(` + allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) diff --git a/apm.fc b/apm.fc index 0123777..f2f0c35 100644 --- a/apm.fc @@ -4140,10 +4266,18 @@ index 1c8c27e..35d798f 100644 optional_policy(` diff --git a/apt.te b/apt.te -index 8555315..c5a4ce3 100644 +index 8555315..5bb2477 100644 --- a/apt.te +++ b/apt.te -@@ -121,7 +121,7 @@ fs_getattr_all_fs(apt_t) +@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t) + corecmd_exec_bin(apt_t) + corecmd_exec_shell(apt_t) + +-corenet_all_recvfrom_unlabeled(apt_t) + corenet_all_recvfrom_netlabel(apt_t) + corenet_tcp_sendrecv_generic_if(apt_t) + corenet_udp_sendrecv_generic_if(apt_t) +@@ -121,7 +120,7 @@ fs_getattr_all_fs(apt_t) term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) @@ -4152,7 +4286,7 @@ index 8555315..c5a4ce3 100644 libs_exec_ld_so(apt_t) libs_exec_lib_files(apt_t) -@@ -134,7 +134,7 @@ seutil_use_newrole_fds(apt_t) +@@ -134,7 +133,7 @@ seutil_use_newrole_fds(apt_t) sysnet_read_config(apt_t) @@ -4235,7 +4369,7 @@ index c804110..06a516f 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 804135f..d94d72e 100644 +index 804135f..762c50a 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -4256,7 +4390,7 @@ index 804135f..d94d72e 100644 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -@@ -47,8 +51,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) +@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) kernel_read_network_state(arpwatch_t) @@ -4267,7 +4401,11 @@ index 804135f..d94d72e 100644 kernel_read_proc_symlinks(arpwatch_t) kernel_request_load_module(arpwatch_t) -@@ -74,7 +79,6 @@ corecmd_read_bin_symlinks(arpwatch_t) +-corenet_all_recvfrom_unlabeled(arpwatch_t) + corenet_all_recvfrom_netlabel(arpwatch_t) + corenet_tcp_sendrecv_generic_if(arpwatch_t) + corenet_udp_sendrecv_generic_if(arpwatch_t) +@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t) domain_use_interactive_fds(arpwatch_t) @@ -4295,7 +4433,7 @@ index b6168fd..313c6e4 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 3b4613b..3bd044f 100644 +index 3b4613b..3ebeb4c 100644 --- a/asterisk.te +++ b/asterisk.te @@ -20,10 +20,11 @@ type asterisk_log_t; @@ -4337,7 +4475,15 @@ index 3b4613b..3bd044f 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) kernel_request_load_module(asterisk_t) -@@ -109,9 +112,13 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t) + corecmd_exec_bin(asterisk_t) + corecmd_exec_shell(asterisk_t) + +-corenet_all_recvfrom_unlabeled(asterisk_t) + corenet_all_recvfrom_netlabel(asterisk_t) + corenet_tcp_sendrecv_generic_if(asterisk_t) + corenet_udp_sendrecv_generic_if(asterisk_t) +@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) @@ -4351,7 +4497,7 @@ index 3b4613b..3bd044f 100644 dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) -@@ -122,11 +129,11 @@ dev_read_urand(asterisk_t) +@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) @@ -4364,7 +4510,7 @@ index 3b4613b..3bd044f 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -143,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -143,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -4460,7 +4606,7 @@ index d80a16b..ef740ef 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 39799db..8c012e9 100644 +index 39799db..3192298 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -4481,7 +4627,15 @@ index 39799db..8c012e9 100644 files_search_boot(automount_t) # Automount is slowly adding all mount functionality internally files_search_all(automount_t) -@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t) +@@ -79,7 +83,6 @@ fs_search_all(automount_t) + corecmd_exec_bin(automount_t) + corecmd_exec_shell(automount_t) + +-corenet_all_recvfrom_unlabeled(automount_t) + corenet_all_recvfrom_netlabel(automount_t) + corenet_tcp_sendrecv_generic_if(automount_t) + corenet_udp_sendrecv_generic_if(automount_t) +@@ -113,7 +116,6 @@ files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) files_list_mnt(automount_t) files_getattr_home_dir(automount_t) @@ -4489,7 +4643,7 @@ index 39799db..8c012e9 100644 files_read_etc_runtime_files(automount_t) # for if the mount point is not labelled files_getattr_isid_type_dirs(automount_t) -@@ -143,10 +146,6 @@ logging_search_logs(automount_t) +@@ -143,10 +145,6 @@ logging_search_logs(automount_t) miscfiles_read_localization(automount_t) miscfiles_read_generic_certs(automount_t) @@ -4500,7 +4654,7 @@ index 39799db..8c012e9 100644 userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,6 +154,13 @@ optional_policy(` +@@ -155,6 +153,13 @@ optional_policy(` ') optional_policy(` @@ -4588,7 +4742,7 @@ index 61c74bc..17b3ecc 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index a7a0e71..a70fe55 100644 +index a7a0e71..65bbd77 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -4602,7 +4756,7 @@ index a7a0e71..a70fe55 100644 ######################################## # -@@ -46,6 +50,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) +@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) kernel_read_system_state(avahi_t) kernel_read_kernel_sysctls(avahi_t) kernel_read_network_state(avahi_t) @@ -4610,7 +4764,12 @@ index a7a0e71..a70fe55 100644 corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) -@@ -74,7 +79,6 @@ fs_list_inotifyfs(avahi_t) + +-corenet_all_recvfrom_unlabeled(avahi_t) + corenet_all_recvfrom_netlabel(avahi_t) + corenet_tcp_sendrecv_generic_if(avahi_t) + corenet_udp_sendrecv_generic_if(avahi_t) +@@ -74,7 +78,6 @@ fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) @@ -4618,7 +4777,16 @@ index a7a0e71..a70fe55 100644 files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) -@@ -104,6 +108,10 @@ optional_policy(` +@@ -92,6 +95,8 @@ sysnet_domtrans_ifconfig(avahi_t) + sysnet_manage_config(avahi_t) + sysnet_etc_filetrans_config(avahi_t) + ++systemd_login_signull(avahi_t) ++ + userdom_dontaudit_use_unpriv_user_fds(avahi_t) + userdom_dontaudit_search_user_home_dirs(avahi_t) + +@@ -104,6 +109,10 @@ optional_policy(` ') optional_policy(` @@ -4660,10 +4828,18 @@ index 283ff0d..53f9ba1 100644 ## ## diff --git a/backup.te b/backup.te -index 0bfc958..af95b7a 100644 +index 0bfc958..81fc8bd 100644 --- a/backup.te +++ b/backup.te -@@ -70,7 +70,7 @@ logging_send_syslog_msg(backup_t) +@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(backup_t) + corecmd_exec_bin(backup_t) + corecmd_exec_shell(backup_t) + +-corenet_all_recvfrom_unlabeled(backup_t) + corenet_all_recvfrom_netlabel(backup_t) + corenet_tcp_sendrecv_generic_if(backup_t) + corenet_udp_sendrecv_generic_if(backup_t) +@@ -70,7 +69,7 @@ logging_send_syslog_msg(backup_t) sysnet_read_config(backup_t) @@ -5118,7 +5294,7 @@ index 44a1e3d..9b50c13 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 4deca04..939e2e3 100644 +index 4deca04..ecf98a1 100644 --- a/bind.te +++ b/bind.te @@ -6,6 +6,13 @@ policy_module(bind, 1.11.0) @@ -5174,7 +5350,15 @@ index 4deca04..939e2e3 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; -@@ -131,7 +143,6 @@ dev_read_urand(named_t) +@@ -104,7 +116,6 @@ kernel_read_network_state(named_t) + + corecmd_search_bin(named_t) + +-corenet_all_recvfrom_unlabeled(named_t) + corenet_all_recvfrom_netlabel(named_t) + corenet_tcp_sendrecv_generic_if(named_t) + corenet_udp_sendrecv_generic_if(named_t) +@@ -131,7 +142,6 @@ dev_read_urand(named_t) domain_use_interactive_fds(named_t) @@ -5182,7 +5366,7 @@ index 4deca04..939e2e3 100644 files_read_etc_runtime_files(named_t) fs_getattr_all_fs(named_t) -@@ -147,6 +158,10 @@ miscfiles_read_generic_certs(named_t) +@@ -147,6 +157,10 @@ miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) @@ -5193,7 +5377,7 @@ index 4deca04..939e2e3 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -154,6 +169,12 @@ tunable_policy(`named_write_master_zones',` +@@ -154,6 +168,12 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -5206,7 +5390,7 @@ index 4deca04..939e2e3 100644 init_dbus_chat_script(named_t) sysnet_dbus_chat_dhcpc(named_t) -@@ -206,10 +227,11 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; +@@ -206,13 +226,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) allow ndc_t named_conf_t:file read_file_perms; @@ -5218,8 +5402,11 @@ index 4deca04..939e2e3 100644 +kernel_read_system_state(ndc_t) kernel_read_kernel_sysctls(ndc_t) - corenet_all_recvfrom_unlabeled(ndc_t) -@@ -223,11 +245,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t) +-corenet_all_recvfrom_unlabeled(ndc_t) + corenet_all_recvfrom_netlabel(ndc_t) + corenet_tcp_sendrecv_generic_if(ndc_t) + corenet_tcp_sendrecv_generic_node(ndc_t) +@@ -223,11 +243,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t) domain_use_interactive_fds(ndc_t) @@ -5233,7 +5420,7 @@ index 4deca04..939e2e3 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,16 +258,15 @@ logging_send_syslog_msg(ndc_t) +@@ -235,16 +256,15 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -5291,10 +5478,10 @@ index de0bd67..1df2048 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f4e7ad3..eb5e6ad 100644 +index f4e7ad3..9aaf3f6 100644 --- a/bitlbee.te +++ b/bitlbee.te -@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t) +@@ -22,36 +22,56 @@ files_tmp_file(bitlbee_tmp_t) type bitlbee_var_t; files_type(bitlbee_var_t) @@ -5345,8 +5532,8 @@ index f4e7ad3..eb5e6ad 100644 + kernel_read_system_state(bitlbee_t) - corenet_all_recvfrom_unlabeled(bitlbee_t) -@@ -52,6 +70,9 @@ corenet_udp_sendrecv_generic_if(bitlbee_t) +-corenet_all_recvfrom_unlabeled(bitlbee_t) + corenet_udp_sendrecv_generic_if(bitlbee_t) corenet_udp_sendrecv_generic_node(bitlbee_t) corenet_tcp_sendrecv_generic_if(bitlbee_t) corenet_tcp_sendrecv_generic_node(bitlbee_t) @@ -5356,7 +5543,7 @@ index f4e7ad3..eb5e6ad 100644 # Allow bitlbee to connect to jabber servers corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t) +@@ -69,11 +89,15 @@ corenet_tcp_connect_http_port(bitlbee_t) corenet_tcp_sendrecv_http_port(bitlbee_t) corenet_tcp_connect_http_cache_port(bitlbee_t) corenet_tcp_sendrecv_http_cache_port(bitlbee_t) @@ -5373,7 +5560,7 @@ index f4e7ad3..eb5e6ad 100644 files_search_pids(bitlbee_t) # grant read-only access to the user help files files_read_usr_files(bitlbee_t) -@@ -86,8 +111,6 @@ logging_send_syslog_msg(bitlbee_t) +@@ -86,8 +110,6 @@ logging_send_syslog_msg(bitlbee_t) miscfiles_read_localization(bitlbee_t) @@ -5710,7 +5897,7 @@ index 3e45431..540f783 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index d3019b3..59440d1 100644 +index d3019b3..f3834be 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0) @@ -5738,7 +5925,15 @@ index d3019b3..59440d1 100644 ######################################## # # Bluetooth services local policy -@@ -127,7 +131,6 @@ corecmd_exec_shell(bluetooth_t) +@@ -96,7 +100,6 @@ kernel_request_load_module(bluetooth_t) + #search debugfs - redhat bug 548206 + kernel_search_debugfs(bluetooth_t) + +-corenet_all_recvfrom_unlabeled(bluetooth_t) + corenet_all_recvfrom_netlabel(bluetooth_t) + corenet_tcp_sendrecv_generic_if(bluetooth_t) + corenet_udp_sendrecv_generic_if(bluetooth_t) +@@ -127,7 +130,6 @@ corecmd_exec_shell(bluetooth_t) domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) @@ -5746,7 +5941,7 @@ index d3019b3..59440d1 100644 files_read_etc_runtime_files(bluetooth_t) files_read_usr_files(bluetooth_t) -@@ -144,6 +147,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) +@@ -144,6 +146,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` @@ -5757,7 +5952,7 @@ index d3019b3..59440d1 100644 dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) -@@ -212,11 +219,12 @@ corecmd_exec_shell(bluetooth_helper_t) +@@ -212,11 +218,12 @@ corecmd_exec_shell(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) @@ -5985,10 +6180,10 @@ index 0000000..9d891b7 +') diff --git a/boinc.te b/boinc.te new file mode 100644 -index 0000000..20156f6 +index 0000000..53e5ceb --- /dev/null +++ b/boinc.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,199 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -6104,7 +6299,6 @@ index 0000000..20156f6 +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + -+corenet_all_recvfrom_unlabeled(boinc_t) +corenet_all_recvfrom_netlabel(boinc_t) +corenet_tcp_sendrecv_generic_if(boinc_t) +corenet_udp_sendrecv_generic_if(boinc_t) @@ -6260,7 +6454,7 @@ index de89d0f..86e4ee7 100644 apache_list_sys_content($1) diff --git a/bugzilla.te b/bugzilla.te -index 048abbf..7368f57 100644 +index 048abbf..dece084 100644 --- a/bugzilla.te +++ b/bugzilla.te @@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0) @@ -6273,7 +6467,15 @@ index 048abbf..7368f57 100644 ######################################## # # bugzilla local policy -@@ -31,6 +34,10 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +@@ -16,7 +19,6 @@ allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; + allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + +-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) + corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) + corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) +@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) @@ -6283,7 +6485,11 @@ index 048abbf..7368f57 100644 + files_search_var_lib(httpd_bugzilla_script_t) ++auth_read_passwd(httpd_bugzilla_script_t) ++ sysnet_read_config(httpd_bugzilla_script_t) + sysnet_use_ldap(httpd_bugzilla_script_t) + diff --git a/cachefilesd.fc b/cachefilesd.fc new file mode 100644 index 0000000..a561ce0 @@ -6517,10 +6723,18 @@ index 0000000..40fd0ad + +init_sigchld_script(cachefiles_kernel_t) diff --git a/calamaris.te b/calamaris.te -index b13fb66..bef8664 100644 +index b13fb66..5409f59 100644 --- a/calamaris.te +++ b/calamaris.te -@@ -51,7 +51,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t) +@@ -39,7 +39,6 @@ kernel_read_system_state(calamaris_t) + + corecmd_exec_bin(calamaris_t) + +-corenet_all_recvfrom_unlabeled(calamaris_t) + corenet_all_recvfrom_netlabel(calamaris_t) + corenet_tcp_sendrecv_generic_if(calamaris_t) + corenet_udp_sendrecv_generic_if(calamaris_t) +@@ -51,7 +50,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t) dev_read_urand(calamaris_t) files_search_pids(calamaris_t) @@ -7025,7 +7239,7 @@ index 4a26b0c..00b64dc 100644 domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te -index 1d25efe..1b16191 100644 +index 1d25efe..2ae3894 100644 --- a/canna.te +++ b/canna.te @@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms; @@ -7037,6 +7251,14 @@ index 1d25efe..1b16191 100644 logging_log_filetrans(canna_t, canna_log_t, { file dir }) manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +@@ -50,7 +50,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) + kernel_read_kernel_sysctls(canna_t) + kernel_read_system_state(canna_t) + +-corenet_all_recvfrom_unlabeled(canna_t) + corenet_all_recvfrom_netlabel(canna_t) + corenet_tcp_sendrecv_generic_if(canna_t) + corenet_tcp_sendrecv_generic_node(canna_t) diff --git a/ccs.fc b/ccs.fc index 8a7177d..bc4f6e7 100644 --- a/ccs.fc @@ -7050,7 +7272,7 @@ index 8a7177d..bc4f6e7 100644 /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/ccs.te b/ccs.te -index 4c90b57..f24cf1d 100644 +index 4c90b57..ee0e749 100644 --- a/ccs.te +++ b/ccs.te @@ -10,7 +10,7 @@ type ccs_exec_t; @@ -7080,7 +7302,15 @@ index 4c90b57..f24cf1d 100644 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t) +@@ -77,7 +77,6 @@ kernel_read_kernel_sysctls(ccs_t) + corecmd_list_bin(ccs_t) + corecmd_exec_bin(ccs_t) + +-corenet_all_recvfrom_unlabeled(ccs_t) + corenet_all_recvfrom_netlabel(ccs_t) + corenet_tcp_sendrecv_generic_if(ccs_t) + corenet_udp_sendrecv_generic_if(ccs_t) +@@ -97,6 +96,7 @@ files_read_etc_files(ccs_t) files_read_etc_runtime_files(ccs_t) init_rw_script_tmp_files(ccs_t) @@ -7088,7 +7318,7 @@ index 4c90b57..f24cf1d 100644 logging_send_syslog_msg(ccs_t) -@@ -118,5 +119,10 @@ optional_policy(` +@@ -118,5 +118,10 @@ optional_policy(` ') optional_policy(` @@ -7907,10 +8137,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..da7bbf7 +index 0000000..b3b6ffe --- /dev/null +++ b/chrome.te -@@ -0,0 +1,184 @@ +@@ -0,0 +1,183 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -7966,7 +8196,6 @@ index 0000000..da7bbf7 + +corecmd_exec_bin(chrome_sandbox_t) + -+corenet_all_recvfrom_unlabeled(chrome_sandbox_t) +corenet_all_recvfrom_netlabel(chrome_sandbox_t) +corenet_tcp_connect_flash_port(chrome_sandbox_t) +corenet_tcp_connect_streaming_port(chrome_sandbox_t) @@ -8379,6 +8608,18 @@ index fa82327..898d0db 100644 optional_policy(` gpsd_rw_shm(chronyd_t) ') +diff --git a/cipe.te b/cipe.te +index 8e1ef38..aae1260 100644 +--- a/cipe.te ++++ b/cipe.te +@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t) + corecmd_exec_shell(ciped_t) + corecmd_exec_bin(ciped_t) + +-corenet_all_recvfrom_unlabeled(ciped_t) + corenet_all_recvfrom_netlabel(ciped_t) + corenet_udp_sendrecv_generic_if(ciped_t) + corenet_udp_sendrecv_generic_node(ciped_t) diff --git a/clamav.fc b/clamav.fc index e8e9a21..22986ef 100644 --- a/clamav.fc @@ -8533,7 +8774,7 @@ index bbac14a..99c5cca 100644 + ') diff --git a/clamav.te b/clamav.te -index 5b7a1d7..e5d835c 100644 +index 5b7a1d7..e75455f 100644 --- a/clamav.te +++ b/clamav.te @@ -1,9 +1,23 @@ @@ -8602,7 +8843,15 @@ index 5b7a1d7..e5d835c 100644 kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -110,6 +131,7 @@ corenet_tcp_bind_generic_node(clamd_t) +@@ -100,7 +121,6 @@ kernel_read_system_state(clamd_t) + + corecmd_exec_shell(clamd_t) + +-corenet_all_recvfrom_unlabeled(clamd_t) + corenet_all_recvfrom_netlabel(clamd_t) + corenet_tcp_sendrecv_generic_if(clamd_t) + corenet_tcp_sendrecv_generic_node(clamd_t) +@@ -110,6 +130,7 @@ corenet_tcp_bind_generic_node(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_generic_port(clamd_t) corenet_tcp_connect_generic_port(clamd_t) @@ -8610,7 +8859,7 @@ index 5b7a1d7..e5d835c 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -117,7 +139,6 @@ dev_read_urand(clamd_t) +@@ -117,7 +138,6 @@ dev_read_urand(clamd_t) domain_use_interactive_fds(clamd_t) @@ -8618,7 +8867,7 @@ index 5b7a1d7..e5d835c 100644 files_read_etc_runtime_files(clamd_t) files_search_spool(clamd_t) -@@ -127,13 +148,6 @@ logging_send_syslog_msg(clamd_t) +@@ -127,13 +147,6 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) @@ -8632,7 +8881,7 @@ index 5b7a1d7..e5d835c 100644 optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -142,13 +156,31 @@ optional_policy(` +@@ -142,13 +155,31 @@ optional_policy(` ') optional_policy(` @@ -8665,7 +8914,7 @@ index 5b7a1d7..e5d835c 100644 ') ######################################## -@@ -178,10 +210,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,17 +209,25 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -8675,6 +8924,7 @@ index 5b7a1d7..e5d835c 100644 +read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +-corenet_all_recvfrom_unlabeled(freshclam_t) +kernel_read_kernel_sysctls(freshclam_t) +kernel_read_network_state(freshclam_t) +kernel_read_system_state(freshclam_t) @@ -8682,10 +8932,9 @@ index 5b7a1d7..e5d835c 100644 +corecmd_exec_shell(freshclam_t) +corecmd_exec_bin(freshclam_t) + - corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) + corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -8694,7 +8943,7 @@ index 5b7a1d7..e5d835c 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -196,7 +237,6 @@ dev_read_urand(freshclam_t) +@@ -196,7 +235,6 @@ dev_read_urand(freshclam_t) domain_use_interactive_fds(freshclam_t) @@ -8702,7 +8951,7 @@ index 5b7a1d7..e5d835c 100644 files_read_etc_runtime_files(freshclam_t) auth_use_nsswitch(freshclam_t) -@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +245,22 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -8729,16 +8978,16 @@ index 5b7a1d7..e5d835c 100644 ######################################## # # clamscam local policy -@@ -242,17 +288,36 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,17 +286,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; +-corenet_all_recvfrom_unlabeled(clamscan_t) +read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) +allow clamscan_t clamd_var_run_t:dir list_dir_perms; + +kernel_read_system_state(clamscan_t) + - corenet_all_recvfrom_unlabeled(clamscan_t) corenet_all_recvfrom_netlabel(clamscan_t) corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) @@ -8767,7 +9016,7 @@ index 5b7a1d7..e5d835c 100644 files_read_etc_runtime_files(clamscan_t) files_search_var_lib(clamscan_t) -@@ -264,10 +329,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +326,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -8786,10 +9035,18 @@ index 5b7a1d7..e5d835c 100644 optional_policy(` diff --git a/clockspeed.te b/clockspeed.te -index b40f3f7..3676ecc 100644 +index b40f3f7..c0f501a 100644 --- a/clockspeed.te +++ b/clockspeed.te -@@ -38,7 +38,7 @@ files_read_etc_files(clockspeed_cli_t) +@@ -26,7 +26,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; + + read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +-corenet_all_recvfrom_unlabeled(clockspeed_cli_t) + corenet_all_recvfrom_netlabel(clockspeed_cli_t) + corenet_udp_sendrecv_generic_if(clockspeed_cli_t) + corenet_udp_sendrecv_generic_node(clockspeed_cli_t) +@@ -38,7 +37,7 @@ files_read_etc_files(clockspeed_cli_t) miscfiles_read_localization(clockspeed_cli_t) @@ -8798,6 +9055,14 @@ index b40f3f7..3676ecc 100644 ######################################## # +@@ -53,7 +52,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + +-corenet_all_recvfrom_unlabeled(clockspeed_srv_t) + corenet_all_recvfrom_netlabel(clockspeed_srv_t) + corenet_udp_sendrecv_generic_if(clockspeed_srv_t) + corenet_udp_sendrecv_generic_node(clockspeed_srv_t) diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 index 0000000..61ab864 @@ -8872,10 +9137,10 @@ index 0000000..7f55959 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..ebf11b1 +index 0000000..7e1d71e --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,198 @@ +@@ -0,0 +1,199 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -9056,6 +9321,7 @@ index 0000000..ebf11b1 + +corenet_tcp_bind_generic_node(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_postgresql_port(mongod_t) + +kernel_read_vm_sysctls(mongod_t) +kernel_read_system_state(mongod_t) @@ -9366,7 +9632,7 @@ index 116d60f..e2c6ec6 100644 + allow $1 cobblerd_unit_file_t:service all_service_perms; ') diff --git a/cobbler.te b/cobbler.te -index 0258b48..0737f85 100644 +index 0258b48..abff100 100644 --- a/cobbler.te +++ b/cobbler.te @@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) @@ -9456,7 +9722,7 @@ index 0258b48..0737f85 100644 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -52,7 +92,14 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +@@ -52,57 +92,132 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) @@ -9471,7 +9737,12 @@ index 0258b48..0737f85 100644 corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) -@@ -65,44 +112,113 @@ corenet_tcp_bind_generic_node(cobblerd_t) + + corenet_all_recvfrom_netlabel(cobblerd_t) +-corenet_all_recvfrom_unlabeled(cobblerd_t) + corenet_sendrecv_cobbler_server_packets(cobblerd_t) + corenet_tcp_bind_cobbler_port(cobblerd_t) + corenet_tcp_bind_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_port(cobblerd_t) @@ -9587,7 +9858,7 @@ index 0258b48..0737f85 100644 ') optional_policy(` -@@ -110,12 +226,21 @@ optional_policy(` +@@ -110,12 +225,21 @@ optional_policy(` ') optional_policy(` @@ -9612,7 +9883,7 @@ index 0258b48..0737f85 100644 ') ######################################## -@@ -124,5 +249,6 @@ optional_policy(` +@@ -124,5 +248,6 @@ optional_policy(` # apache_content_template(cobbler) @@ -9971,7 +10242,7 @@ index 733e4e6..fa2c3cb 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 74505cc..c7298b2 100644 +index 74505cc..5861f7d 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) @@ -10003,7 +10274,7 @@ index 74505cc..c7298b2 100644 allow colord_t self:udp_socket create_socket_perms; allow colord_t self:unix_dgram_socket create_socket_perms; -@@ -41,8 +48,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) @@ -10017,9 +10288,9 @@ index 74505cc..c7298b2 100644 +corecmd_exec_bin(colord_t) +corecmd_exec_shell(colord_t) - corenet_all_recvfrom_unlabeled(colord_t) +-corenet_all_recvfrom_unlabeled(colord_t) corenet_all_recvfrom_netlabel(colord_t) -@@ -50,6 +63,8 @@ corenet_udp_bind_generic_node(colord_t) + corenet_udp_bind_generic_node(colord_t) corenet_udp_bind_ipp_port(colord_t) corenet_tcp_connect_ipp_port(colord_t) @@ -10028,7 +10299,7 @@ index 74505cc..c7298b2 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -62,22 +77,37 @@ dev_rw_generic_usb_dev(colord_t) +@@ -62,22 +76,37 @@ dev_rw_generic_usb_dev(colord_t) domain_use_interactive_fds(colord_t) files_list_mnt(colord_t) @@ -10068,7 +10339,7 @@ index 74505cc..c7298b2 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +119,12 @@ optional_policy(` +@@ -89,6 +118,12 @@ optional_policy(` ') optional_policy(` @@ -10081,7 +10352,7 @@ index 74505cc..c7298b2 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +132,19 @@ optional_policy(` +@@ -96,5 +131,19 @@ optional_policy(` ') optional_policy(` @@ -10102,10 +10373,18 @@ index 74505cc..c7298b2 100644 + zoneminder_rw_tmpfs_files(colord_t) +') diff --git a/comsat.te b/comsat.te -index 3d121fd..fbad020 100644 +index 3d121fd..b4cfef9 100644 --- a/comsat.te +++ b/comsat.te -@@ -51,7 +51,6 @@ dev_read_urand(comsat_t) +@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(comsat_t) + kernel_read_network_state(comsat_t) + kernel_read_system_state(comsat_t) + +-corenet_all_recvfrom_unlabeled(comsat_t) + corenet_all_recvfrom_netlabel(comsat_t) + corenet_tcp_sendrecv_generic_if(comsat_t) + corenet_udp_sendrecv_generic_if(comsat_t) +@@ -51,7 +50,6 @@ dev_read_urand(comsat_t) fs_getattr_xattr_fs(comsat_t) @@ -11648,10 +11927,18 @@ index 47dfa07..1beadbd 100644 ifdef(`distro_gentoo',` /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) diff --git a/courier.if b/courier.if -index 9971337..180e704 100644 +index 9971337..476f1e2 100644 --- a/courier.if +++ b/courier.if -@@ -104,6 +104,25 @@ interface(`courier_domtrans_authdaemon',` +@@ -50,7 +50,6 @@ template(`courier_domain_template',` + + corecmd_exec_bin(courier_$1_t) + +- corenet_all_recvfrom_unlabeled(courier_$1_t) + corenet_all_recvfrom_netlabel(courier_$1_t) + corenet_tcp_sendrecv_generic_if(courier_$1_t) + corenet_udp_sendrecv_generic_if(courier_$1_t) +@@ -104,6 +103,25 @@ interface(`courier_domtrans_authdaemon',` domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) ') @@ -11677,7 +11964,7 @@ index 9971337..180e704 100644 ######################################## ## ## Execute the courier POP3 and IMAP server with -@@ -138,6 +157,7 @@ interface(`courier_read_config',` +@@ -138,6 +156,7 @@ interface(`courier_read_config',` type courier_etc_t; ') @@ -11685,7 +11972,7 @@ index 9971337..180e704 100644 read_files_pattern($1, courier_etc_t, courier_etc_t) ') -@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',` +@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') @@ -11693,7 +11980,7 @@ index 9971337..180e704 100644 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',` +@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') @@ -11701,7 +11988,7 @@ index 9971337..180e704 100644 manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -183,7 +205,7 @@ interface(`courier_manage_spool_files',` +@@ -183,7 +204,7 @@ interface(`courier_manage_spool_files',` ## ## Read courier spool files. ## @@ -11710,7 +11997,7 @@ index 9971337..180e704 100644 ## ## Domain allowed access. ## -@@ -194,6 +216,7 @@ interface(`courier_read_spool',` +@@ -194,6 +215,7 @@ interface(`courier_read_spool',` type courier_spool_t; ') @@ -12339,7 +12626,7 @@ index 6e12dc7..bd94df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/cron.te b/cron.te -index b357856..3155d2a 100644 +index b357856..2af4e88 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -12696,7 +12983,15 @@ index b357856..3155d2a 100644 kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) -@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t) + + corecmd_exec_all_executables(system_cronjob_t) + +-corenet_all_recvfrom_unlabeled(system_cronjob_t) + corenet_all_recvfrom_netlabel(system_cronjob_t) + corenet_tcp_sendrecv_generic_if(system_cronjob_t) + corenet_udp_sendrecv_generic_if(system_cronjob_t) +@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -12704,7 +12999,7 @@ index b357856..3155d2a 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -376,7 +460,6 @@ fs_getattr_all_sockets(system_cronjob_t) +@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t) domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) @@ -12712,7 +13007,7 @@ index b357856..3155d2a 100644 files_read_etc_runtime_files(system_cronjob_t) files_list_all(system_cronjob_t) files_getattr_all_dirs(system_cronjob_t) -@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -12720,7 +13015,7 @@ index b357856..3155d2a 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +496,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -12732,7 +13027,7 @@ index b357856..3155d2a 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +525,8 @@ optional_policy(` +@@ -439,6 +524,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -12741,7 +13036,7 @@ index b357856..3155d2a 100644 ') optional_policy(` -@@ -446,6 +534,14 @@ optional_policy(` +@@ -446,6 +533,14 @@ optional_policy(` ') optional_policy(` @@ -12756,7 +13051,7 @@ index b357856..3155d2a 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +552,10 @@ optional_policy(` +@@ -456,6 +551,10 @@ optional_policy(` ') optional_policy(` @@ -12767,7 +13062,7 @@ index b357856..3155d2a 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +564,9 @@ optional_policy(` +@@ -464,7 +563,9 @@ optional_policy(` ') optional_policy(` @@ -12777,7 +13072,7 @@ index b357856..3155d2a 100644 ') optional_policy(` -@@ -472,6 +574,10 @@ optional_policy(` +@@ -472,6 +573,10 @@ optional_policy(` ') optional_policy(` @@ -12788,7 +13083,7 @@ index b357856..3155d2a 100644 postfix_read_config(system_cronjob_t) ') -@@ -480,7 +586,7 @@ optional_policy(` +@@ -480,7 +585,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -12797,7 +13092,7 @@ index b357856..3155d2a 100644 ') optional_policy(` -@@ -495,6 +601,7 @@ optional_policy(` +@@ -495,6 +600,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -12805,7 +13100,7 @@ index b357856..3155d2a 100644 ') optional_policy(` -@@ -502,7 +609,18 @@ optional_policy(` +@@ -502,7 +608,18 @@ optional_policy(` ') optional_policy(` @@ -12824,7 +13119,15 @@ index b357856..3155d2a 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -542,7 +659,6 @@ kernel_read_kernel_sysctls(cronjob_t) + # ps does not need to access /boot when run from cron + files_dontaudit_search_boot(cronjob_t) + +-corenet_all_recvfrom_unlabeled(cronjob_t) + corenet_all_recvfrom_netlabel(cronjob_t) + corenet_tcp_sendrecv_generic_if(cronjob_t) + corenet_udp_sendrecv_generic_if(cronjob_t) +@@ -595,9 +711,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -13420,7 +13723,7 @@ index 305ddf4..11d010a 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/cups.te b/cups.te -index 6e7f1b6..f8cf711 100644 +index 6e7f1b6..9f6cabb 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -13472,7 +13775,7 @@ index 6e7f1b6..f8cf711 100644 allow cupsd_t hplip_t:process { signal sigkill }; -@@ -159,7 +166,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +@@ -159,14 +166,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) @@ -13481,7 +13784,14 @@ index 6e7f1b6..f8cf711 100644 kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) -@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t) + kernel_read_all_sysctls(cupsd_t) + kernel_request_load_module(cupsd_t) + +-corenet_all_recvfrom_unlabeled(cupsd_t) + corenet_all_recvfrom_netlabel(cupsd_t) + corenet_tcp_sendrecv_generic_if(cupsd_t) + corenet_udp_sendrecv_generic_if(cupsd_t) +@@ -211,6 +217,7 @@ mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) mls_fd_use_all_levels(cupsd_t) @@ -13489,7 +13799,7 @@ index 6e7f1b6..f8cf711 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t) +@@ -220,11 +227,12 @@ corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) @@ -13503,7 +13813,7 @@ index 6e7f1b6..f8cf711 100644 # for /var/lib/defoma files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) -@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -270,12 +278,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -13516,7 +13826,7 @@ index 6e7f1b6..f8cf711 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -287,6 +290,8 @@ optional_policy(` +@@ -287,6 +289,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -13525,7 +13835,7 @@ index 6e7f1b6..f8cf711 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +302,10 @@ optional_policy(` +@@ -297,8 +301,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -13536,7 +13846,7 @@ index 6e7f1b6..f8cf711 100644 ') ') -@@ -311,10 +318,23 @@ optional_policy(` +@@ -311,10 +317,23 @@ optional_policy(` ') optional_policy(` @@ -13560,7 +13870,7 @@ index 6e7f1b6..f8cf711 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +342,8 @@ optional_policy(` +@@ -322,6 +341,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -13569,7 +13879,7 @@ index 6e7f1b6..f8cf711 100644 ') optional_policy(` -@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -13580,7 +13890,15 @@ index 6e7f1b6..f8cf711 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -407,7 +430,6 @@ domain_use_interactive_fds(cupsd_config_t) +@@ -381,7 +403,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + kernel_read_system_state(cupsd_config_t) + kernel_read_all_sysctls(cupsd_config_t) + +-corenet_all_recvfrom_unlabeled(cupsd_config_t) + corenet_all_recvfrom_netlabel(cupsd_config_t) + corenet_tcp_sendrecv_generic_if(cupsd_config_t) + corenet_tcp_sendrecv_generic_node(cupsd_config_t) +@@ -407,7 +428,6 @@ domain_use_interactive_fds(cupsd_config_t) domain_dontaudit_search_all_domains_state(cupsd_config_t) files_read_usr_files(cupsd_config_t) @@ -13588,7 +13906,7 @@ index 6e7f1b6..f8cf711 100644 files_read_etc_runtime_files(cupsd_config_t) files_read_var_symlinks(cupsd_config_t) -@@ -425,11 +447,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +445,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -13602,7 +13920,7 @@ index 6e7f1b6..f8cf711 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +475,10 @@ optional_policy(` +@@ -453,6 +473,10 @@ optional_policy(` ') optional_policy(` @@ -13613,7 +13931,7 @@ index 6e7f1b6..f8cf711 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +493,10 @@ optional_policy(` +@@ -467,6 +491,10 @@ optional_policy(` ') optional_policy(` @@ -13624,7 +13942,15 @@ index 6e7f1b6..f8cf711 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,13 +567,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) + kernel_read_system_state(cupsd_lpd_t) + kernel_read_network_state(cupsd_lpd_t) + +-corenet_all_recvfrom_unlabeled(cupsd_lpd_t) + corenet_all_recvfrom_netlabel(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) + corenet_udp_sendrecv_generic_if(cupsd_lpd_t) +@@ -537,13 +564,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -13639,7 +13965,7 @@ index 6e7f1b6..f8cf711 100644 auth_use_nsswitch(cupsd_lpd_t) -@@ -577,7 +607,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) +@@ -577,7 +604,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -13647,7 +13973,7 @@ index 6e7f1b6..f8cf711 100644 files_read_usr_files(cups_pdf_t) corecmd_exec_shell(cups_pdf_t) -@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -13680,7 +14006,15 @@ index 6e7f1b6..f8cf711 100644 ') ######################################## -@@ -661,10 +689,10 @@ corenet_tcp_bind_generic_node(hplip_t) +@@ -647,7 +672,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) + kernel_read_system_state(hplip_t) + kernel_read_kernel_sysctls(hplip_t) + +-corenet_all_recvfrom_unlabeled(hplip_t) + corenet_all_recvfrom_netlabel(hplip_t) + corenet_tcp_sendrecv_generic_if(hplip_t) + corenet_udp_sendrecv_generic_if(hplip_t) +@@ -661,10 +685,10 @@ corenet_tcp_bind_generic_node(hplip_t) corenet_udp_bind_generic_node(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -13694,7 +14028,7 @@ index 6e7f1b6..f8cf711 100644 dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -682,9 +710,11 @@ corecmd_exec_bin(hplip_t) +@@ -682,9 +706,11 @@ corecmd_exec_bin(hplip_t) domain_use_interactive_fds(hplip_t) @@ -13707,9 +14041,11 @@ index 6e7f1b6..f8cf711 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -695,9 +721,12 @@ sysnet_read_config(hplip_t) + userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) ++userdom_dbus_send_all_users(hplip_t) -lpd_read_config(hplip_t) -lpd_manage_spool(hplip_t) @@ -13720,7 +14056,15 @@ index 6e7f1b6..f8cf711 100644 optional_policy(` dbus_system_bus_client(hplip_t) -@@ -760,7 +792,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -743,7 +772,6 @@ kernel_read_kernel_sysctls(ptal_t) + kernel_list_proc(ptal_t) + kernel_read_proc_symlinks(ptal_t) + +-corenet_all_recvfrom_unlabeled(ptal_t) + corenet_all_recvfrom_netlabel(ptal_t) + corenet_tcp_sendrecv_generic_if(ptal_t) + corenet_tcp_sendrecv_generic_node(ptal_t) +@@ -760,7 +788,6 @@ fs_search_auto_mountpoints(ptal_t) domain_use_interactive_fds(ptal_t) @@ -13778,7 +14122,7 @@ index c43ff4c..5da88b5 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) diff --git a/cvs.te b/cvs.te -index 88e7e97..4742d3a 100644 +index 88e7e97..fee2106 100644 --- a/cvs.te +++ b/cvs.te @@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0) @@ -13804,7 +14148,15 @@ index 88e7e97..4742d3a 100644 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -@@ -76,11 +76,12 @@ auth_use_nsswitch(cvs_t) +@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(cvs_t) + kernel_read_system_state(cvs_t) + kernel_read_network_state(cvs_t) + +-corenet_all_recvfrom_unlabeled(cvs_t) + corenet_all_recvfrom_netlabel(cvs_t) + corenet_tcp_sendrecv_generic_if(cvs_t) + corenet_udp_sendrecv_generic_if(cvs_t) +@@ -76,11 +75,12 @@ auth_use_nsswitch(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -13818,7 +14170,7 @@ index 88e7e97..4742d3a 100644 logging_send_syslog_msg(cvs_t) logging_send_audit_msgs(cvs_t) -@@ -88,9 +89,11 @@ miscfiles_read_localization(cvs_t) +@@ -88,9 +88,11 @@ miscfiles_read_localization(cvs_t) mta_send_mail(cvs_t) @@ -13831,12 +14183,24 @@ index 88e7e97..4742d3a 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -112,4 +115,5 @@ optional_policy(` +@@ -112,4 +114,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') +diff --git a/cyphesis.te b/cyphesis.te +index 25897c9..8cf56de 100644 +--- a/cyphesis.te ++++ b/cyphesis.te +@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) + corecmd_search_bin(cyphesis_t) + corecmd_getattr_bin_files(cyphesis_t) + +-corenet_all_recvfrom_unlabeled(cyphesis_t) + corenet_tcp_sendrecv_generic_if(cyphesis_t) + corenet_tcp_sendrecv_generic_node(cyphesis_t) + corenet_tcp_sendrecv_all_ports(cyphesis_t) diff --git a/cyrus.if b/cyrus.if index e4e86d0..7c30655 100644 --- a/cyrus.if @@ -13857,7 +14221,7 @@ index e4e86d0..7c30655 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index a531e6f..ec075b8 100644 +index a531e6f..323da45 100644 --- a/cyrus.te +++ b/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -13869,7 +14233,15 @@ index a531e6f..ec075b8 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t) +@@ -62,7 +62,6 @@ kernel_read_kernel_sysctls(cyrus_t) + kernel_read_system_state(cyrus_t) + kernel_read_all_sysctls(cyrus_t) + +-corenet_all_recvfrom_unlabeled(cyrus_t) + corenet_all_recvfrom_netlabel(cyrus_t) + corenet_tcp_sendrecv_generic_if(cyrus_t) + corenet_udp_sendrecv_generic_if(cyrus_t) +@@ -73,6 +72,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t) corenet_tcp_bind_generic_node(cyrus_t) corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -13877,7 +14249,7 @@ index a531e6f..ec075b8 100644 corenet_tcp_bind_pop_port(cyrus_t) corenet_tcp_bind_sieve_port(cyrus_t) corenet_tcp_connect_all_ports(cyrus_t) -@@ -93,7 +94,6 @@ corecmd_exec_bin(cyrus_t) +@@ -93,7 +93,6 @@ corecmd_exec_bin(cyrus_t) domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) @@ -13885,7 +14257,7 @@ index a531e6f..ec075b8 100644 files_read_etc_runtime_files(cyrus_t) files_read_usr_files(cyrus_t) -@@ -119,6 +119,10 @@ optional_policy(` +@@ -119,6 +118,10 @@ optional_policy(` ') optional_policy(` @@ -13896,7 +14268,7 @@ index a531e6f..ec075b8 100644 kerberos_keytab_template(cyrus, cyrus_t) ') -@@ -135,6 +139,7 @@ optional_policy(` +@@ -135,6 +138,7 @@ optional_policy(` ') optional_policy(` @@ -13958,7 +14330,7 @@ index dcc5f1c..18c3048 100644 files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) diff --git a/dante.te b/dante.te -index 9636326..a29dcaa 100644 +index 9636326..9101895 100644 --- a/dante.te +++ b/dante.te @@ -10,7 +10,7 @@ type dante_exec_t; @@ -13970,7 +14342,15 @@ index 9636326..a29dcaa 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) -@@ -46,7 +46,6 @@ corenet_udp_sendrecv_generic_node(dante_t) +@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(dante_t) + kernel_list_proc(dante_t) + kernel_read_proc_symlinks(dante_t) + +-corenet_all_recvfrom_unlabeled(dante_t) + corenet_all_recvfrom_netlabel(dante_t) + corenet_tcp_sendrecv_generic_if(dante_t) + corenet_udp_sendrecv_generic_if(dante_t) +@@ -46,7 +45,6 @@ corenet_udp_sendrecv_generic_node(dante_t) corenet_tcp_sendrecv_all_ports(dante_t) corenet_udp_sendrecv_all_ports(dante_t) corenet_tcp_bind_generic_node(dante_t) @@ -14008,10 +14388,18 @@ index 1875064..2adc35f 100644 + sudo_role_template(dbadm, dbadm_r, dbadm_t) +') diff --git a/dbskk.te b/dbskk.te -index 1445f97..f874b4d 100644 +index 1445f97..566797c 100644 --- a/dbskk.te +++ b/dbskk.te -@@ -60,7 +60,6 @@ dev_read_urand(dbskkd_t) +@@ -47,7 +47,6 @@ kernel_read_kernel_sysctls(dbskkd_t) + kernel_read_system_state(dbskkd_t) + kernel_read_network_state(dbskkd_t) + +-corenet_all_recvfrom_unlabeled(dbskkd_t) + corenet_all_recvfrom_netlabel(dbskkd_t) + corenet_tcp_sendrecv_generic_if(dbskkd_t) + corenet_udp_sendrecv_generic_if(dbskkd_t) +@@ -60,7 +59,6 @@ dev_read_urand(dbskkd_t) fs_getattr_xattr_fs(dbskkd_t) @@ -14385,7 +14773,7 @@ index fb4bf82..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 8e7ba54..ffc5025 100644 +index 8e7ba54..edb1219 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -14497,6 +14885,7 @@ index 8e7ba54..ffc5025 100644 optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) ++ systemd_write_inhibit_pipes(system_dbusd_t) +') + +optional_policy(` @@ -14577,7 +14966,6 @@ index 8e7ba54..ffc5025 100644 +corecmd_read_bin_pipes(session_bus_type) +corecmd_read_bin_sockets(session_bus_type) + -+corenet_all_recvfrom_unlabeled(session_bus_type) +corenet_all_recvfrom_netlabel(session_bus_type) +corenet_tcp_sendrecv_generic_if(session_bus_type) +corenet_tcp_sendrecv_generic_node(session_bus_type) @@ -14665,7 +15053,7 @@ index 784753e..bf65e7d 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 5178337..d83413e 100644 +index 5178337..a087ad2 100644 --- a/dcc.te +++ b/dcc.te @@ -36,7 +36,7 @@ type dcc_var_t; @@ -14677,7 +15065,13 @@ index 5178337..d83413e 100644 type dccd_t; type dccd_exec_t; -@@ -101,7 +101,6 @@ corenet_udp_sendrecv_generic_if(cdcc_t) +@@ -95,13 +95,11 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; + read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + +-corenet_all_recvfrom_unlabeled(cdcc_t) + corenet_all_recvfrom_netlabel(cdcc_t) + corenet_udp_sendrecv_generic_if(cdcc_t) corenet_udp_sendrecv_generic_node(cdcc_t) corenet_udp_sendrecv_all_ports(cdcc_t) @@ -14685,7 +15079,7 @@ index 5178337..d83413e 100644 files_read_etc_runtime_files(cdcc_t) auth_use_nsswitch(cdcc_t) -@@ -110,7 +109,7 @@ logging_send_syslog_msg(cdcc_t) +@@ -110,7 +108,7 @@ logging_send_syslog_msg(cdcc_t) miscfiles_read_localization(cdcc_t) @@ -14694,7 +15088,14 @@ index 5178337..d83413e 100644 ######################################## # -@@ -141,7 +140,6 @@ corenet_udp_sendrecv_generic_node(dcc_client_t) +@@ -134,14 +132,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_client_t) + +-corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) + corenet_udp_sendrecv_generic_if(dcc_client_t) + corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) corenet_udp_bind_generic_node(dcc_client_t) @@ -14702,7 +15103,7 @@ index 5178337..d83413e 100644 files_read_etc_runtime_files(dcc_client_t) fs_getattr_all_fs(dcc_client_t) -@@ -152,7 +150,7 @@ logging_send_syslog_msg(dcc_client_t) +@@ -152,7 +148,7 @@ logging_send_syslog_msg(dcc_client_t) miscfiles_read_localization(dcc_client_t) @@ -14711,7 +15112,13 @@ index 5178337..d83413e 100644 optional_policy(` amavis_read_spool_files(dcc_client_t) -@@ -188,7 +186,6 @@ corenet_udp_sendrecv_generic_if(dcc_dbclean_t) +@@ -182,13 +178,11 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_dbclean_t) + +-corenet_all_recvfrom_unlabeled(dcc_dbclean_t) + corenet_all_recvfrom_netlabel(dcc_dbclean_t) + corenet_udp_sendrecv_generic_if(dcc_dbclean_t) corenet_udp_sendrecv_generic_node(dcc_dbclean_t) corenet_udp_sendrecv_all_ports(dcc_dbclean_t) @@ -14719,7 +15126,7 @@ index 5178337..d83413e 100644 files_read_etc_runtime_files(dcc_dbclean_t) auth_use_nsswitch(dcc_dbclean_t) -@@ -197,7 +194,7 @@ logging_send_syslog_msg(dcc_dbclean_t) +@@ -197,7 +191,7 @@ logging_send_syslog_msg(dcc_dbclean_t) miscfiles_read_localization(dcc_dbclean_t) @@ -14728,7 +15135,15 @@ index 5178337..d83413e 100644 ######################################## # -@@ -251,7 +248,6 @@ dev_read_sysfs(dccd_t) +@@ -238,7 +232,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) + kernel_read_system_state(dccd_t) + kernel_read_kernel_sysctls(dccd_t) + +-corenet_all_recvfrom_unlabeled(dccd_t) + corenet_all_recvfrom_netlabel(dccd_t) + corenet_udp_sendrecv_generic_if(dccd_t) + corenet_udp_sendrecv_generic_node(dccd_t) +@@ -251,7 +244,6 @@ dev_read_sysfs(dccd_t) domain_use_interactive_fds(dccd_t) @@ -14736,7 +15151,15 @@ index 5178337..d83413e 100644 files_read_etc_runtime_files(dccd_t) fs_getattr_all_fs(dccd_t) -@@ -316,7 +312,6 @@ dev_read_sysfs(dccifd_t) +@@ -306,7 +298,6 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) + kernel_read_system_state(dccifd_t) + kernel_read_kernel_sysctls(dccifd_t) + +-corenet_all_recvfrom_unlabeled(dccifd_t) + corenet_all_recvfrom_netlabel(dccifd_t) + corenet_udp_sendrecv_generic_if(dccifd_t) + corenet_udp_sendrecv_generic_node(dccifd_t) +@@ -316,7 +307,6 @@ dev_read_sysfs(dccifd_t) domain_use_interactive_fds(dccifd_t) @@ -14744,7 +15167,15 @@ index 5178337..d83413e 100644 files_read_etc_runtime_files(dccifd_t) fs_getattr_all_fs(dccifd_t) -@@ -380,7 +375,6 @@ dev_read_sysfs(dccm_t) +@@ -370,7 +360,6 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) + kernel_read_system_state(dccm_t) + kernel_read_kernel_sysctls(dccm_t) + +-corenet_all_recvfrom_unlabeled(dccm_t) + corenet_all_recvfrom_netlabel(dccm_t) + corenet_udp_sendrecv_generic_if(dccm_t) + corenet_udp_sendrecv_generic_node(dccm_t) +@@ -380,7 +369,6 @@ dev_read_sysfs(dccm_t) domain_use_interactive_fds(dccm_t) @@ -14778,7 +15209,7 @@ index 0a1a61b..64742c6 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index 24ba98a..32de93f 100644 +index 24ba98a..0918edc 100644 --- a/ddclient.te +++ b/ddclient.te @@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t) @@ -14816,7 +15247,7 @@ index 24ba98a..32de93f 100644 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -@@ -62,6 +71,7 @@ kernel_read_software_raid_state(ddclient_t) +@@ -62,11 +71,11 @@ kernel_read_software_raid_state(ddclient_t) kernel_getattr_core_if(ddclient_t) kernel_getattr_message_if(ddclient_t) kernel_read_kernel_sysctls(ddclient_t) @@ -14824,7 +15255,12 @@ index 24ba98a..32de93f 100644 corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) -@@ -74,6 +84,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) + +-corenet_all_recvfrom_unlabeled(ddclient_t) + corenet_all_recvfrom_netlabel(ddclient_t) + corenet_tcp_sendrecv_generic_if(ddclient_t) + corenet_udp_sendrecv_generic_if(ddclient_t) +@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) @@ -14833,7 +15269,7 @@ index 24ba98a..32de93f 100644 corenet_tcp_connect_all_ports(ddclient_t) corenet_sendrecv_all_client_packets(ddclient_t) -@@ -89,10 +101,14 @@ files_read_usr_files(ddclient_t) +@@ -89,10 +100,14 @@ files_read_usr_files(ddclient_t) fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) @@ -14914,7 +15350,7 @@ index 567865f..b5e9376 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 8ba9425..e03f80a 100644 +index 8ba9425..3db40ba 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -14927,7 +15363,7 @@ index 8ba9425..e03f80a 100644 allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; -@@ -43,8 +46,11 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +@@ -43,24 +46,30 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) @@ -14938,8 +15374,9 @@ index 8ba9425..e03f80a 100644 +corecmd_exec_shell(denyhosts_t) corecmd_exec_bin(denyhosts_t) - corenet_all_recvfrom_unlabeled(denyhosts_t) -@@ -53,14 +59,18 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) +-corenet_all_recvfrom_unlabeled(denyhosts_t) + corenet_all_recvfrom_netlabel(denyhosts_t) + corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -14959,7 +15396,7 @@ index 8ba9425..e03f80a 100644 miscfiles_read_localization(denyhosts_t) -@@ -70,3 +80,7 @@ sysnet_etc_filetrans_config(denyhosts_t) +@@ -70,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') @@ -15665,7 +16102,7 @@ index 5e2cea8..2ab8a14 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 54b794f..def601e 100644 +index 54b794f..63eae1d 100644 --- a/dhcp.te +++ b/dhcp.te @@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -15690,7 +16127,15 @@ index 54b794f..def601e 100644 allow dhcpd_t self:fifo_file rw_fifo_file_perms; allow dhcpd_t self:unix_dgram_socket create_socket_perms; allow dhcpd_t self:unix_stream_socket create_socket_perms; -@@ -80,7 +83,7 @@ corenet_tcp_connect_all_ports(dhcpd_t) +@@ -61,7 +64,6 @@ kernel_read_system_state(dhcpd_t) + kernel_read_kernel_sysctls(dhcpd_t) + kernel_read_network_state(dhcpd_t) + +-corenet_all_recvfrom_unlabeled(dhcpd_t) + corenet_all_recvfrom_netlabel(dhcpd_t) + corenet_tcp_sendrecv_generic_if(dhcpd_t) + corenet_udp_sendrecv_generic_if(dhcpd_t) +@@ -80,7 +82,7 @@ corenet_tcp_connect_all_ports(dhcpd_t) corenet_sendrecv_dhcpd_server_packets(dhcpd_t) corenet_sendrecv_pxe_server_packets(dhcpd_t) corenet_sendrecv_all_client_packets(dhcpd_t) @@ -15699,7 +16144,7 @@ index 54b794f..def601e 100644 corenet_udp_bind_all_unreserved_ports(dhcpd_t) dev_read_sysfs(dhcpd_t) -@@ -94,7 +97,6 @@ corecmd_exec_bin(dhcpd_t) +@@ -94,7 +96,6 @@ corecmd_exec_bin(dhcpd_t) domain_use_interactive_fds(dhcpd_t) @@ -15707,7 +16152,7 @@ index 54b794f..def601e 100644 files_read_usr_files(dhcpd_t) files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) -@@ -110,12 +112,21 @@ sysnet_read_dhcp_config(dhcpd_t) +@@ -110,12 +111,21 @@ sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) @@ -15749,10 +16194,18 @@ index a0d23ce..83a7ca5 100644 init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te -index d2d9359..c0e30db 100644 +index d2d9359..4202e56 100644 --- a/dictd.te +++ b/dictd.te -@@ -66,30 +66,21 @@ fs_search_auto_mountpoints(dictd_t) +@@ -45,7 +45,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) + kernel_read_system_state(dictd_t) + kernel_read_kernel_sysctls(dictd_t) + +-corenet_all_recvfrom_unlabeled(dictd_t) + corenet_all_recvfrom_netlabel(dictd_t) + corenet_tcp_sendrecv_generic_if(dictd_t) + corenet_raw_sendrecv_generic_if(dictd_t) +@@ -66,30 +65,21 @@ fs_search_auto_mountpoints(dictd_t) domain_use_interactive_fds(dictd_t) @@ -15948,10 +16401,10 @@ index 0000000..332a1c9 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..c2ac646 +index 0000000..58b4422 --- /dev/null +++ b/dirsrv-admin.te -@@ -0,0 +1,144 @@ +@@ -0,0 +1,143 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -16040,7 +16493,6 @@ index 0000000..c2ac646 + + kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) + -+ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) + corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) @@ -16341,10 +16793,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..4409b7d +index 0000000..da10216 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,197 @@ +@@ -0,0 +1,196 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -16441,7 +16893,6 @@ index 0000000..4409b7d + +corecmd_search_bin(dirsrv_t) + -+corenet_all_recvfrom_unlabeled(dirsrv_t) +corenet_all_recvfrom_netlabel(dirsrv_t) +corenet_tcp_sendrecv_generic_if(dirsrv_t) +corenet_tcp_sendrecv_generic_node(dirsrv_t) @@ -16542,6 +16993,30 @@ index 0000000..4409b7d + snmp_manage_var_lib_files(dirsrv_snmp_t) + snmp_stream_connect(dirsrv_snmp_t) +') +diff --git a/distcc.te b/distcc.te +index 54d93e8..e4110c4 100644 +--- a/distcc.te ++++ b/distcc.te +@@ -44,7 +44,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) + kernel_read_system_state(distccd_t) + kernel_read_kernel_sysctls(distccd_t) + +-corenet_all_recvfrom_unlabeled(distccd_t) + corenet_all_recvfrom_netlabel(distccd_t) + corenet_tcp_sendrecv_generic_if(distccd_t) + corenet_udp_sendrecv_generic_if(distccd_t) +diff --git a/djbdns.if b/djbdns.if +index ade3079..41a21f1 100644 +--- a/djbdns.if ++++ b/djbdns.if +@@ -34,7 +34,6 @@ template(`djbdns_daemontools_domain_template',` + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; + +- corenet_all_recvfrom_unlabeled(djbdns_$1_t) + corenet_all_recvfrom_netlabel(djbdns_$1_t) + corenet_tcp_sendrecv_generic_if(djbdns_$1_t) + corenet_udp_sendrecv_generic_if(djbdns_$1_t) diff --git a/djbdns.te b/djbdns.te index 03b5286..62fbae1 100644 --- a/djbdns.te @@ -16812,7 +17287,7 @@ index 9bd812b..53f895e 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index fdaeeba..853a32e 100644 +index fdaeeba..ec15389 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -16825,7 +17300,7 @@ index fdaeeba..853a32e 100644 ######################################## # # Local policy -@@ -48,11 +51,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) @@ -16839,9 +17314,11 @@ index fdaeeba..853a32e 100644 +kernel_read_network_state(dnsmasq_t) +kernel_request_load_module(dnsmasq_t) - corenet_all_recvfrom_unlabeled(dnsmasq_t) +-corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) -@@ -76,7 +82,6 @@ dev_read_urand(dnsmasq_t) + corenet_tcp_sendrecv_generic_if(dnsmasq_t) + corenet_udp_sendrecv_generic_if(dnsmasq_t) +@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) @@ -16849,7 +17326,7 @@ index fdaeeba..853a32e 100644 files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) -@@ -96,7 +101,20 @@ optional_policy(` +@@ -96,7 +100,20 @@ optional_policy(` ') optional_policy(` @@ -16870,7 +17347,7 @@ index fdaeeba..853a32e 100644 ') optional_policy(` -@@ -113,5 +131,7 @@ optional_policy(` +@@ -113,5 +130,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -17172,7 +17649,7 @@ index e1d7dc5..df96c0d 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..b1b3824 100644 +index 2df7766..6f21882 100644 --- a/dovecot.te +++ b/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -17226,7 +17703,7 @@ index 2df7766..b1b3824 100644 files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -94,15 +99,16 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -17240,7 +17717,12 @@ index 2df7766..b1b3824 100644 kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) + +-corenet_all_recvfrom_unlabeled(dovecot_t) + corenet_all_recvfrom_netlabel(dovecot_t) + corenet_tcp_sendrecv_generic_if(dovecot_t) + corenet_tcp_sendrecv_generic_node(dovecot_t) +@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) corenet_tcp_bind_mail_port(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) @@ -17248,7 +17730,7 @@ index 2df7766..b1b3824 100644 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -@@ -128,13 +136,14 @@ corecmd_exec_bin(dovecot_t) +@@ -128,13 +135,14 @@ corecmd_exec_bin(dovecot_t) domain_use_interactive_fds(dovecot_t) @@ -17264,7 +17746,7 @@ index 2df7766..b1b3824 100644 init_getattr_utmp(dovecot_t) -@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t) +@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t) miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) @@ -17272,7 +17754,7 @@ index 2df7766..b1b3824 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) +@@ -153,6 +162,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) @@ -17280,7 +17762,7 @@ index 2df7766..b1b3824 100644 mta_manage_spool(dovecot_t) optional_policy(` -@@ -160,10 +171,24 @@ optional_policy(` +@@ -160,10 +170,24 @@ optional_policy(` ') optional_policy(` @@ -17305,7 +17787,7 @@ index 2df7766..b1b3824 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,8 +205,8 @@ optional_policy(` +@@ -180,8 +204,8 @@ optional_policy(` # dovecot auth local policy # @@ -17316,7 +17798,7 @@ index 2df7766..b1b3824 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -17326,7 +17808,7 @@ index 2df7766..b1b3824 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,22 +229,25 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,22 +228,25 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -17354,7 +17836,7 @@ index 2df7766..b1b3824 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +267,8 @@ optional_policy(` +@@ -236,6 +266,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -17363,7 +17845,7 @@ index 2df7766..b1b3824 100644 ') optional_policy(` -@@ -243,6 +276,8 @@ optional_policy(` +@@ -243,6 +275,8 @@ optional_policy(` ') optional_policy(` @@ -17372,7 +17854,7 @@ index 2df7766..b1b3824 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +285,42 @@ optional_policy(` +@@ -250,23 +284,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -17418,7 +17900,7 @@ index 2df7766..b1b3824 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +337,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +336,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -17481,7 +17963,7 @@ index 4d32b42..78736d8 100644 ######################################## diff --git a/dpkg.te b/dpkg.te -index a1b8f92..71ee186 100644 +index a1b8f92..b362622 100644 --- a/dpkg.te +++ b/dpkg.te @@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) @@ -17515,7 +17997,15 @@ index a1b8f92..71ee186 100644 type dpkg_script_tmp_t; files_tmp_file(dpkg_script_tmp_t) -@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) +@@ -92,7 +94,6 @@ kernel_read_kernel_sysctls(dpkg_t) + corecmd_exec_all_executables(dpkg_t) + + # TODO: do we really need all networking? +-corenet_all_recvfrom_unlabeled(dpkg_t) + corenet_all_recvfrom_netlabel(dpkg_t) + corenet_tcp_sendrecv_generic_if(dpkg_t) + corenet_raw_sendrecv_generic_if(dpkg_t) +@@ -152,9 +153,12 @@ files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) init_use_script_ptys(dpkg_t) @@ -17529,7 +18019,7 @@ index a1b8f92..71ee186 100644 logging_send_syslog_msg(dpkg_t) -@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) +@@ -196,19 +200,30 @@ domain_signull_all_domains(dpkg_t) files_read_etc_runtime_files(dpkg_t) files_exec_usr_files(dpkg_t) miscfiles_read_localization(dpkg_t) @@ -17566,7 +18056,7 @@ index a1b8f92..71ee186 100644 ######################################## # # dpkg-script Local policy -@@ -302,15 +318,15 @@ logging_send_syslog_msg(dpkg_script_t) +@@ -302,15 +317,15 @@ logging_send_syslog_msg(dpkg_script_t) miscfiles_read_localization(dpkg_script_t) @@ -17587,7 +18077,7 @@ index a1b8f92..71ee186 100644 allow dpkg_script_t self:process execmem; ') -@@ -319,9 +335,9 @@ optional_policy(` +@@ -319,9 +334,9 @@ optional_policy(` apt_use_fds(dpkg_script_t) ') @@ -17600,7 +18090,7 @@ index a1b8f92..71ee186 100644 optional_policy(` mta_send_mail(dpkg_script_t) -@@ -335,7 +351,7 @@ optional_policy(` +@@ -335,7 +350,7 @@ optional_policy(` unconfined_domain(dpkg_script_t) ') @@ -18236,10 +18726,18 @@ index b6ac808..63ba594 100644 userdom_dontaudit_use_unpriv_user_fds(entropyd_t) diff --git a/evolution.te b/evolution.te -index 73cb712..8aac234 100644 +index 73cb712..c87a548 100644 --- a/evolution.te +++ b/evolution.te -@@ -181,19 +181,19 @@ dev_read_urand(evolution_t) +@@ -146,7 +146,6 @@ corecmd_exec_shell(evolution_t) + # Run various programs + corecmd_exec_bin(evolution_t) + +-corenet_all_recvfrom_unlabeled(evolution_t) + corenet_all_recvfrom_netlabel(evolution_t) + corenet_tcp_sendrecv_generic_if(evolution_t) + corenet_udp_sendrecv_generic_if(evolution_t) +@@ -181,19 +180,19 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) @@ -18261,7 +18759,7 @@ index 73cb712..8aac234 100644 udev_read_state(evolution_t) -@@ -201,7 +201,7 @@ userdom_rw_user_tmp_files(evolution_t) +@@ -201,7 +200,7 @@ userdom_rw_user_tmp_files(evolution_t) userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_sockets(evolution_t) userdom_manage_user_tmp_files(evolution_t) @@ -18270,7 +18768,7 @@ index 73cb712..8aac234 100644 # FIXME: suppress access to .local/.icons/.themes until properly implemented # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) # until properly implemented -@@ -357,11 +357,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; +@@ -357,11 +356,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; dev_read_urand(evolution_alarm_t) @@ -18284,7 +18782,7 @@ index 73cb712..8aac234 100644 miscfiles_read_localization(evolution_alarm_t) # Access evolution home -@@ -439,12 +440,13 @@ corecmd_exec_bin(evolution_exchange_t) +@@ -439,12 +439,13 @@ corecmd_exec_bin(evolution_exchange_t) dev_read_urand(evolution_exchange_t) @@ -18299,7 +18797,15 @@ index 73cb712..8aac234 100644 miscfiles_read_localization(evolution_exchange_t) userdom_write_user_tmp_sockets(evolution_exchange_t) -@@ -519,19 +521,19 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t) +@@ -506,7 +507,6 @@ kernel_read_system_state(evolution_server_t) + corecmd_exec_shell(evolution_server_t) + + # Obtain weather data via http (read server name from xml file in /usr) +-corenet_all_recvfrom_unlabeled(evolution_server_t) + corenet_all_recvfrom_netlabel(evolution_server_t) + corenet_tcp_sendrecv_generic_if(evolution_server_t) + corenet_tcp_sendrecv_generic_node(evolution_server_t) +@@ -519,19 +519,19 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t) dev_read_urand(evolution_server_t) @@ -18321,7 +18827,15 @@ index 73cb712..8aac234 100644 sysnet_use_ldap(evolution_server_t) # Access evolution home -@@ -586,9 +588,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t) +@@ -573,7 +573,6 @@ allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_per + allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; + fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +-corenet_all_recvfrom_unlabeled(evolution_webcal_t) + corenet_all_recvfrom_netlabel(evolution_webcal_t) + corenet_tcp_sendrecv_generic_if(evolution_webcal_t) + corenet_raw_sendrecv_generic_if(evolution_webcal_t) +@@ -586,9 +585,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t) corenet_sendrecv_http_client_packets(evolution_webcal_t) corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) @@ -18452,7 +18966,7 @@ index 6bef7f8..ba138e8 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/exim.te b/exim.te -index f28f64b..6a30d96 100644 +index f28f64b..775ec11 100644 --- a/exim.te +++ b/exim.te @@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) @@ -18471,7 +18985,7 @@ index f28f64b..6a30d96 100644 type exim_tmp_t; files_tmp_file(exim_tmp_t) -@@ -79,7 +82,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) +@@ -79,11 +82,10 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) kernel_read_kernel_sysctls(exim_t) kernel_read_network_state(exim_t) @@ -18480,7 +18994,11 @@ index f28f64b..6a30d96 100644 corecmd_search_bin(exim_t) -@@ -108,7 +111,7 @@ domain_use_interactive_fds(exim_t) +-corenet_all_recvfrom_unlabeled(exim_t) + corenet_all_recvfrom_netlabel(exim_t) + corenet_tcp_sendrecv_generic_if(exim_t) + corenet_udp_sendrecv_generic_if(exim_t) +@@ -108,7 +110,7 @@ domain_use_interactive_fds(exim_t) files_search_usr(exim_t) files_search_var(exim_t) @@ -18489,7 +19007,7 @@ index f28f64b..6a30d96 100644 files_read_etc_runtime_files(exim_t) files_getattr_all_mountpoints(exim_t) -@@ -162,6 +165,10 @@ optional_policy(` +@@ -162,6 +164,10 @@ optional_policy(` ') optional_policy(` @@ -18500,7 +19018,7 @@ index f28f64b..6a30d96 100644 kerberos_keytab_template(exim, exim_t) ') -@@ -171,6 +178,10 @@ optional_policy(` +@@ -171,6 +177,10 @@ optional_policy(` ') optional_policy(` @@ -18511,7 +19029,7 @@ index f28f64b..6a30d96 100644 tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') -@@ -184,6 +195,7 @@ optional_policy(` +@@ -184,6 +194,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -18631,7 +19149,7 @@ index f590a1f..b1b13b0 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/fail2ban.te b/fail2ban.te -index 2a69e5e..64f9d4f 100644 +index 2a69e5e..d552523 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) @@ -18665,7 +19183,7 @@ index 2a69e5e..64f9d4f 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -50,6 +57,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +@@ -50,12 +57,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) @@ -18677,7 +19195,13 @@ index 2a69e5e..64f9d4f 100644 kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) -@@ -66,8 +78,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) + corecmd_exec_shell(fail2ban_t) + +-corenet_all_recvfrom_unlabeled(fail2ban_t) + corenet_all_recvfrom_netlabel(fail2ban_t) + corenet_tcp_sendrecv_generic_if(fail2ban_t) + corenet_tcp_sendrecv_generic_node(fail2ban_t) +@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -18687,7 +19211,7 @@ index 2a69e5e..64f9d4f 100644 files_read_etc_runtime_files(fail2ban_t) files_read_usr_files(fail2ban_t) files_list_var(fail2ban_t) -@@ -85,6 +97,9 @@ miscfiles_read_localization(fail2ban_t) +@@ -85,6 +96,9 @@ miscfiles_read_localization(fail2ban_t) mta_send_mail(fail2ban_t) @@ -18697,7 +19221,7 @@ index 2a69e5e..64f9d4f 100644 optional_policy(` apache_read_log(fail2ban_t) ') -@@ -94,5 +109,44 @@ optional_policy(` +@@ -94,5 +108,44 @@ optional_policy(` ') optional_policy(` @@ -18930,7 +19454,7 @@ index 6537214..8629354 100644 files_list_etc($1) admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index ac6626e..8fb83ef 100644 +index ac6626e..3f6d630 100644 --- a/fetchmail.te +++ b/fetchmail.te @@ -10,6 +10,9 @@ type fetchmail_exec_t; @@ -18955,7 +19479,15 @@ index ac6626e..8fb83ef 100644 kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) kernel_getattr_proc_files(fetchmail_t) -@@ -88,6 +96,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) +@@ -51,7 +59,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) + corecmd_exec_bin(fetchmail_t) + corecmd_exec_shell(fetchmail_t) + +-corenet_all_recvfrom_unlabeled(fetchmail_t) + corenet_all_recvfrom_netlabel(fetchmail_t) + corenet_tcp_sendrecv_generic_if(fetchmail_t) + corenet_udp_sendrecv_generic_if(fetchmail_t) +@@ -88,6 +95,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_dontaudit_search_user_home_dirs(fetchmail_t) optional_policy(` @@ -18967,10 +19499,18 @@ index ac6626e..8fb83ef 100644 ') diff --git a/finger.te b/finger.te -index 9b7036a..b223fa8 100644 +index 9b7036a..7bd5266 100644 --- a/finger.te +++ b/finger.te -@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t) +@@ -46,7 +46,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) + kernel_read_kernel_sysctls(fingerd_t) + kernel_read_system_state(fingerd_t) + +-corenet_all_recvfrom_unlabeled(fingerd_t) + corenet_all_recvfrom_netlabel(fingerd_t) + corenet_tcp_sendrecv_generic_if(fingerd_t) + corenet_udp_sendrecv_generic_if(fingerd_t) +@@ -66,6 +65,7 @@ term_getattr_all_ttys(fingerd_t) term_getattr_all_ptys(fingerd_t) auth_read_lastlog(fingerd_t) @@ -18978,7 +19518,7 @@ index 9b7036a..b223fa8 100644 corecmd_exec_bin(fingerd_t) corecmd_exec_shell(fingerd_t) -@@ -73,7 +74,6 @@ corecmd_exec_shell(fingerd_t) +@@ -73,7 +73,6 @@ corecmd_exec_shell(fingerd_t) domain_use_interactive_fds(fingerd_t) files_search_home(fingerd_t) @@ -19413,10 +19953,10 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/firstboot.te b/firstboot.te -index c4d8998..9101c30 100644 +index c4d8998..65ce250 100644 --- a/firstboot.te +++ b/firstboot.te -@@ -33,6 +33,9 @@ allow firstboot_t self:passwd rootok; +@@ -33,10 +33,12 @@ allow firstboot_t self:passwd rootok; allow firstboot_t firstboot_etc_t:file read_file_perms; @@ -19426,7 +19966,11 @@ index c4d8998..9101c30 100644 kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) -@@ -62,6 +65,8 @@ files_read_usr_files(firstboot_t) +-corenet_all_recvfrom_unlabeled(firstboot_t) + corenet_all_recvfrom_netlabel(firstboot_t) + corenet_tcp_sendrecv_generic_if(firstboot_t) + corenet_tcp_sendrecv_generic_node(firstboot_t) +@@ -62,6 +64,8 @@ files_read_usr_files(firstboot_t) files_manage_var_dirs(firstboot_t) files_manage_var_files(firstboot_t) files_manage_var_symlinks(firstboot_t) @@ -19435,7 +19979,7 @@ index c4d8998..9101c30 100644 init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) -@@ -75,12 +80,10 @@ logging_send_syslog_msg(firstboot_t) +@@ -75,12 +79,10 @@ logging_send_syslog_msg(firstboot_t) miscfiles_read_localization(firstboot_t) @@ -19451,7 +19995,7 @@ index c4d8998..9101c30 100644 # Add/remove user home directories userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) -@@ -103,8 +106,18 @@ optional_policy(` +@@ -103,8 +105,18 @@ optional_policy(` ') optional_policy(` @@ -19470,7 +20014,7 @@ index c4d8998..9101c30 100644 optional_policy(` samba_rw_config(firstboot_t) -@@ -113,7 +126,7 @@ optional_policy(` +@@ -113,7 +125,7 @@ optional_policy(` optional_policy(` unconfined_domtrans(firstboot_t) # The big hammer @@ -19479,7 +20023,7 @@ index c4d8998..9101c30 100644 ') optional_policy(` -@@ -125,6 +138,7 @@ optional_policy(` +@@ -125,6 +137,7 @@ optional_policy(` ') optional_policy(` @@ -19487,7 +20031,7 @@ index c4d8998..9101c30 100644 gnome_manage_config(firstboot_t) ') -@@ -132,4 +146,5 @@ optional_policy(` +@@ -132,4 +145,5 @@ optional_policy(` xserver_domtrans(firstboot_t) xserver_rw_shm(firstboot_t) xserver_unconfined(firstboot_t) @@ -19657,7 +20201,7 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/ftp.te b/ftp.te -index 4285c83..d1b00d0 100644 +index 4285c83..4f2cd97 100644 --- a/ftp.te +++ b/ftp.te @@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1) @@ -19794,7 +20338,7 @@ index 4285c83..d1b00d0 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -177,14 +213,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -19803,7 +20347,14 @@ index 4285c83..d1b00d0 100644 dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) -@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t) + + corecmd_exec_bin(ftpd_t) + +-corenet_all_recvfrom_unlabeled(ftpd_t) + corenet_all_recvfrom_netlabel(ftpd_t) + corenet_tcp_sendrecv_generic_if(ftpd_t) + corenet_udp_sendrecv_generic_if(ftpd_t) +@@ -196,9 +231,8 @@ corenet_tcp_bind_generic_node(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) @@ -19815,7 +20366,7 @@ index 4285c83..d1b00d0 100644 corenet_sendrecv_ftp_server_packets(ftpd_t) domain_use_interactive_fds(ftpd_t) -@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t) +@@ -212,13 +246,11 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) fs_search_fusefs(ftpd_t) @@ -19831,7 +20382,7 @@ index 4285c83..d1b00d0 100644 init_rw_utmp(ftpd_t) -@@ -237,31 +270,39 @@ sysnet_use_ldap(ftpd_t) +@@ -237,31 +269,39 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -19878,7 +20429,7 @@ index 4285c83..d1b00d0 100644 ') tunable_policy(`ftp_home_dir',` -@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',` +@@ -270,10 +310,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -19896,7 +20447,7 @@ index 4285c83..d1b00d0 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,10 +353,35 @@ optional_policy(` +@@ -309,10 +352,35 @@ optional_policy(` ') optional_policy(` @@ -19933,7 +20484,7 @@ index 4285c83..d1b00d0 100644 ') optional_policy(` -@@ -347,16 +416,17 @@ optional_policy(` +@@ -347,16 +415,17 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -19953,7 +20504,7 @@ index 4285c83..d1b00d0 100644 ######################################## # -@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t) +@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t) files_read_etc_files(sftpd_t) @@ -19990,7 +20541,7 @@ index 4285c83..d1b00d0 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -20013,10 +20564,18 @@ index 4285c83..d1b00d0 100644 -') +userdom_home_reader(sftpd_t) diff --git a/games.te b/games.te -index b73d33c..a1b0cad 100644 +index b73d33c..0c56ca4 100644 --- a/games.te +++ b/games.te -@@ -163,7 +163,7 @@ userdom_manage_user_tmp_sockets(games_t) +@@ -120,7 +120,6 @@ kernel_read_system_state(games_t) + + corecmd_exec_bin(games_t) + +-corenet_all_recvfrom_unlabeled(games_t) + corenet_all_recvfrom_netlabel(games_t) + corenet_tcp_sendrecv_generic_if(games_t) + corenet_udp_sendrecv_generic_if(games_t) +@@ -163,7 +162,7 @@ userdom_manage_user_tmp_sockets(games_t) # Suppress .icons denial until properly implemented userdom_dontaudit_read_user_home_content_files(games_t) @@ -20026,7 +20585,7 @@ index b73d33c..a1b0cad 100644 ') diff --git a/gatekeeper.te b/gatekeeper.te -index 99a94de..6dbc203 100644 +index 99a94de..a0f0d2c 100644 --- a/gatekeeper.te +++ b/gatekeeper.te @@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms; @@ -20038,11 +20597,27 @@ index 99a94de..6dbc203 100644 allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; files_search_etc(gatekeeper_t) +@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) + + corecmd_list_bin(gatekeeper_t) + +-corenet_all_recvfrom_unlabeled(gatekeeper_t) + corenet_all_recvfrom_netlabel(gatekeeper_t) + corenet_tcp_sendrecv_generic_if(gatekeeper_t) + corenet_udp_sendrecv_generic_if(gatekeeper_t) diff --git a/gift.te b/gift.te -index 4975343..47d814d 100644 +index 4975343..5aab51a 100644 --- a/gift.te +++ b/gift.te -@@ -67,17 +67,7 @@ sysnet_read_config(gift_t) +@@ -52,7 +52,6 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t) + kernel_read_system_state(gift_t) + + # Connect to gift daemon +-corenet_all_recvfrom_unlabeled(gift_t) + corenet_all_recvfrom_netlabel(gift_t) + corenet_tcp_sendrecv_generic_if(gift_t) + corenet_tcp_sendrecv_generic_node(gift_t) +@@ -67,17 +66,7 @@ sysnet_read_config(gift_t) # giftui looks in .icons, .themes. userdom_dontaudit_read_user_home_content_files(gift_t) @@ -20061,7 +20636,15 @@ index 4975343..47d814d 100644 optional_policy(` nscd_socket_use(gift_t) -@@ -129,16 +119,5 @@ miscfiles_read_localization(giftd_t) +@@ -106,7 +95,6 @@ kernel_read_system_state(giftd_t) + kernel_read_kernel_sysctls(giftd_t) + + # Serve content on various p2p networks. Ports can be random. +-corenet_all_recvfrom_unlabeled(giftd_t) + corenet_all_recvfrom_netlabel(giftd_t) + corenet_tcp_sendrecv_generic_if(giftd_t) + corenet_udp_sendrecv_generic_if(giftd_t) +@@ -129,16 +117,5 @@ miscfiles_read_localization(giftd_t) sysnet_read_config(giftd_t) @@ -20621,7 +21204,7 @@ index b0242d9..5126181 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 58c3c61..9ac3c5f 100644 +index 58c3c61..9595f7c 100644 --- a/git.te +++ b/git.te @@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false) @@ -20671,7 +21254,15 @@ index 58c3c61..9ac3c5f 100644 ######################################## # -@@ -108,8 +124,15 @@ corenet_tcp_bind_git_port(git_session_t) +@@ -99,7 +115,6 @@ read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) + userdom_search_user_home_dirs(git_session_t) + + corenet_all_recvfrom_netlabel(git_session_t) +-corenet_all_recvfrom_unlabeled(git_session_t) + corenet_tcp_bind_generic_node(git_session_t) + corenet_tcp_sendrecv_generic_if(git_session_t) + corenet_tcp_sendrecv_generic_node(git_session_t) +@@ -108,8 +123,15 @@ corenet_tcp_bind_git_port(git_session_t) corenet_tcp_sendrecv_git_port(git_session_t) corenet_sendrecv_git_server_packets(git_session_t) @@ -20687,7 +21278,7 @@ index 58c3c61..9ac3c5f 100644 tunable_policy(`git_session_send_syslog_msg',` logging_send_syslog_msg(git_session_t) ') -@@ -131,10 +154,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -131,10 +153,12 @@ tunable_policy(`use_samba_home_dirs',` # Git system policy # @@ -20702,7 +21293,7 @@ index 58c3c61..9ac3c5f 100644 logging_send_syslog_msg(git_system_t) tunable_policy(`git_system_enable_homedirs',` -@@ -170,8 +195,8 @@ tunable_policy(`git_system_use_nfs',` +@@ -170,8 +194,8 @@ tunable_policy(`git_system_use_nfs',` # Git CGI policy # @@ -20713,7 +21304,7 @@ index 58c3c61..9ac3c5f 100644 files_search_var_lib(httpd_git_script_t) files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -@@ -221,6 +246,11 @@ files_read_usr_files(git_daemon) +@@ -221,6 +245,11 @@ files_read_usr_files(git_daemon) fs_search_auto_mountpoints(git_daemon) @@ -23148,7 +23739,7 @@ index 6d50300..46cc164 100644 ## ## Send generic signals to user gpg processes. diff --git a/gpg.te b/gpg.te -index 156820c..401b90c 100644 +index 156820c..50c208c 100644 --- a/gpg.te +++ b/gpg.te @@ -1,9 +1,10 @@ @@ -23263,7 +23854,15 @@ index 156820c..401b90c 100644 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) -@@ -106,7 +130,6 @@ fs_list_inotifyfs(gpg_t) +@@ -86,7 +110,6 @@ kernel_read_sysctl(gpg_t) + corecmd_exec_shell(gpg_t) + corecmd_exec_bin(gpg_t) + +-corenet_all_recvfrom_unlabeled(gpg_t) + corenet_all_recvfrom_netlabel(gpg_t) + corenet_tcp_sendrecv_generic_if(gpg_t) + corenet_udp_sendrecv_generic_if(gpg_t) +@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t) domain_use_interactive_fds(gpg_t) @@ -23271,7 +23870,7 @@ index 156820c..401b90c 100644 files_read_usr_files(gpg_t) files_dontaudit_search_var(gpg_t) -@@ -116,22 +139,26 @@ logging_send_syslog_msg(gpg_t) +@@ -116,22 +138,26 @@ logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) @@ -23306,7 +23905,7 @@ index 156820c..401b90c 100644 ') optional_policy(` -@@ -140,15 +167,19 @@ optional_policy(` +@@ -140,15 +166,19 @@ optional_policy(` ') optional_policy(` @@ -23330,7 +23929,15 @@ index 156820c..401b90c 100644 ######################################## # # GPG helper local policy -@@ -180,11 +211,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t) +@@ -166,7 +196,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + + dontaudit gpg_helper_t gpg_secret_t:file read; + +-corenet_all_recvfrom_unlabeled(gpg_helper_t) + corenet_all_recvfrom_netlabel(gpg_helper_t) + corenet_tcp_sendrecv_generic_if(gpg_helper_t) + corenet_raw_sendrecv_generic_if(gpg_helper_t) +@@ -180,11 +209,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t) corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) @@ -23343,7 +23950,7 @@ index 156820c..401b90c 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -198,15 +228,17 @@ tunable_policy(`use_samba_home_dirs',` +@@ -198,15 +226,17 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -23362,7 +23969,7 @@ index 156820c..401b90c 100644 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -@@ -223,6 +255,7 @@ corecmd_read_bin_symlinks(gpg_agent_t) +@@ -223,6 +253,7 @@ corecmd_read_bin_symlinks(gpg_agent_t) corecmd_search_bin(gpg_agent_t) corecmd_exec_shell(gpg_agent_t) @@ -23370,7 +23977,7 @@ index 156820c..401b90c 100644 dev_read_urand(gpg_agent_t) domain_use_interactive_fds(gpg_agent_t) -@@ -232,34 +265,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -232,34 +263,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -23409,7 +24016,7 @@ index 156820c..401b90c 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -294,6 +318,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) +@@ -294,10 +316,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) @@ -23417,7 +24024,11 @@ index 156820c..401b90c 100644 corecmd_exec_bin(gpg_pinentry_t) corenet_all_recvfrom_netlabel(gpg_pinentry_t) -@@ -310,7 +335,6 @@ dev_read_rand(gpg_pinentry_t) +-corenet_all_recvfrom_unlabeled(gpg_pinentry_t) + corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) + corenet_tcp_bind_generic_node(gpg_pinentry_t) + corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) +@@ -310,7 +332,6 @@ dev_read_rand(gpg_pinentry_t) files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc @@ -23425,7 +24036,7 @@ index 156820c..401b90c 100644 fs_dontaudit_list_inotifyfs(gpg_pinentry_t) fs_getattr_tmpfs(gpg_pinentry_t) -@@ -325,13 +349,15 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -325,13 +346,15 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -23446,7 +24057,7 @@ index 156820c..401b90c 100644 ') optional_policy(` -@@ -340,6 +366,12 @@ optional_policy(` +@@ -340,6 +363,12 @@ optional_policy(` ') optional_policy(` @@ -23459,7 +24070,7 @@ index 156820c..401b90c 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -349,4 +381,28 @@ optional_policy(` +@@ -349,4 +378,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -23550,7 +24161,7 @@ index a627b34..c4cfc6d 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index 03742d8..3f7065f 100644 +index 03742d8..27e518c 100644 --- a/gpsd.te +++ b/gpsd.te @@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t) @@ -23565,14 +24176,14 @@ index 03742d8..3f7065f 100644 allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow gpsd_t self:tcp_socket create_stream_socket_perms; -@@ -38,16 +39,25 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +@@ -38,16 +39,24 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) +-corenet_all_recvfrom_unlabeled(gpsd_t) +kernel_list_proc(gpsd_t) +kernel_request_load_module(gpsd_t) + - corenet_all_recvfrom_unlabeled(gpsd_t) corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) corenet_tcp_sendrecv_generic_node(gpsd_t) @@ -23592,7 +24203,7 @@ index 03742d8..3f7065f 100644 auth_use_nsswitch(gpsd_t) -@@ -56,6 +66,12 @@ logging_send_syslog_msg(gpsd_t) +@@ -56,6 +65,12 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` @@ -23627,10 +24238,18 @@ index 1cb7311..1de82b2 100644 + +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/hadoop.if b/hadoop.if -index 2d0b4e1..69fb7c1 100644 +index 2d0b4e1..7bbebf5 100644 --- a/hadoop.if +++ b/hadoop.if -@@ -224,14 +224,21 @@ interface(`hadoop_role',` +@@ -89,7 +89,6 @@ template(`hadoop_domain_template',` + corecmd_exec_bin(hadoop_$1_t) + corecmd_exec_shell(hadoop_$1_t) + +- corenet_all_recvfrom_unlabeled(hadoop_$1_t) + corenet_all_recvfrom_netlabel(hadoop_$1_t) + corenet_tcp_bind_all_nodes(hadoop_$1_t) + corenet_tcp_sendrecv_generic_if(hadoop_$1_t) +@@ -224,14 +223,21 @@ interface(`hadoop_role',` hadoop_domtrans($2) role $1 types hadoop_t; @@ -23655,10 +24274,18 @@ index 2d0b4e1..69fb7c1 100644 ######################################## diff --git a/hadoop.te b/hadoop.te -index c81c58a..99bc7cb 100644 +index c81c58a..63e344b 100644 --- a/hadoop.te +++ b/hadoop.te -@@ -151,20 +151,23 @@ dev_read_urand(hadoop_t) +@@ -123,7 +123,6 @@ kernel_read_system_state(hadoop_t) + corecmd_exec_bin(hadoop_t) + corecmd_exec_shell(hadoop_t) + +-corenet_all_recvfrom_unlabeled(hadoop_t) + corenet_all_recvfrom_netlabel(hadoop_t) + corenet_tcp_sendrecv_generic_if(hadoop_t) + corenet_udp_sendrecv_generic_if(hadoop_t) +@@ -151,20 +150,23 @@ dev_read_urand(hadoop_t) domain_use_interactive_fds(hadoop_t) files_dontaudit_search_spool(hadoop_t) @@ -23688,7 +24315,15 @@ index c81c58a..99bc7cb 100644 optional_policy(` nis_use_ypbind(hadoop_t) -@@ -333,20 +336,19 @@ dev_read_urand(zookeeper_t) +@@ -311,7 +313,6 @@ kernel_read_system_state(zookeeper_t) + corecmd_exec_bin(zookeeper_t) + corecmd_exec_shell(zookeeper_t) + +-corenet_all_recvfrom_unlabeled(zookeeper_t) + corenet_all_recvfrom_netlabel(zookeeper_t) + corenet_tcp_sendrecv_generic_if(zookeeper_t) + corenet_udp_sendrecv_generic_if(zookeeper_t) +@@ -333,20 +334,19 @@ dev_read_urand(zookeeper_t) domain_use_interactive_fds(zookeeper_t) @@ -23713,7 +24348,15 @@ index c81c58a..99bc7cb 100644 ') ######################################## -@@ -421,7 +423,6 @@ dev_read_rand(zookeeper_server_t) +@@ -393,7 +393,6 @@ kernel_read_system_state(zookeeper_server_t) + corecmd_exec_bin(zookeeper_server_t) + corecmd_exec_shell(zookeeper_server_t) + +-corenet_all_recvfrom_unlabeled(zookeeper_server_t) + corenet_all_recvfrom_netlabel(zookeeper_server_t) + corenet_tcp_sendrecv_generic_if(zookeeper_server_t) + corenet_udp_sendrecv_generic_if(zookeeper_server_t) +@@ -421,7 +420,6 @@ dev_read_rand(zookeeper_server_t) dev_read_sysfs(zookeeper_server_t) dev_read_urand(zookeeper_server_t) @@ -23721,7 +24364,7 @@ index c81c58a..99bc7cb 100644 files_read_usr_files(zookeeper_server_t) fs_getattr_xattr_fs(zookeeper_server_t) -@@ -432,4 +433,6 @@ miscfiles_read_localization(zookeeper_server_t) +@@ -432,4 +430,6 @@ miscfiles_read_localization(zookeeper_server_t) sysnet_read_config(zookeeper_server_t) @@ -23768,7 +24411,7 @@ index 7cf6763..9d2be6b 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/hal.te b/hal.te -index e0476cb..987f2c2 100644 +index e0476cb..551070a 100644 --- a/hal.te +++ b/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -23798,7 +24441,15 @@ index e0476cb..987f2c2 100644 kernel_search_network_sysctl(hald_t) kernel_setsched(hald_t) kernel_request_load_module(hald_t) -@@ -139,7 +143,6 @@ domain_read_all_domains_state(hald_t) +@@ -107,7 +111,6 @@ auth_read_pam_console_data(hald_t) + + corecmd_exec_all_executables(hald_t) + +-corenet_all_recvfrom_unlabeled(hald_t) + corenet_all_recvfrom_netlabel(hald_t) + corenet_tcp_sendrecv_generic_if(hald_t) + corenet_udp_sendrecv_generic_if(hald_t) +@@ -139,7 +142,6 @@ domain_read_all_domains_state(hald_t) domain_dontaudit_ptrace_all_domains(hald_t) files_exec_etc_files(hald_t) @@ -23806,7 +24457,7 @@ index e0476cb..987f2c2 100644 files_rw_etc_runtime_files(hald_t) files_manage_mnt_dirs(hald_t) files_manage_mnt_files(hald_t) -@@ -372,7 +375,6 @@ dev_setattr_generic_usb_dev(hald_acl_t) +@@ -372,7 +374,6 @@ dev_setattr_generic_usb_dev(hald_acl_t) dev_setattr_usbfs_files(hald_acl_t) files_read_usr_files(hald_acl_t) @@ -23814,7 +24465,7 @@ index e0476cb..987f2c2 100644 fs_getattr_all_fs(hald_acl_t) -@@ -418,7 +420,6 @@ dev_write_raw_memory(hald_mac_t) +@@ -418,7 +419,6 @@ dev_write_raw_memory(hald_mac_t) dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) @@ -23822,7 +24473,7 @@ index e0476cb..987f2c2 100644 auth_use_nsswitch(hald_mac_t) -@@ -465,7 +466,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) +@@ -465,7 +465,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) dev_rw_input_dev(hald_keymap_t) @@ -23830,6 +24481,14 @@ index e0476cb..987f2c2 100644 files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) +@@ -504,7 +503,6 @@ kernel_search_network_sysctl(hald_dccm_t) + + dev_read_urand(hald_dccm_t) + +-corenet_all_recvfrom_unlabeled(hald_dccm_t) + corenet_all_recvfrom_netlabel(hald_dccm_t) + corenet_tcp_sendrecv_generic_if(hald_dccm_t) + corenet_udp_sendrecv_generic_if(hald_dccm_t) diff --git a/hddtemp.if b/hddtemp.if index 87b4531..901d905 100644 --- a/hddtemp.if @@ -23859,10 +24518,18 @@ index 87b4531..901d905 100644 + files_list_etc($1) ') diff --git a/hddtemp.te b/hddtemp.te -index c234b32..e91e051 100644 +index c234b32..ab1fb3c 100644 --- a/hddtemp.te +++ b/hddtemp.te -@@ -38,12 +38,15 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) +@@ -28,7 +28,6 @@ allow hddtemp_t self:udp_socket create_socket_perms; + + allow hddtemp_t hddtemp_etc_t:file read_file_perms; + +-corenet_all_recvfrom_unlabeled(hddtemp_t) + corenet_all_recvfrom_netlabel(hddtemp_t) + corenet_tcp_sendrecv_generic_if(hddtemp_t) + corenet_tcp_sendrecv_generic_node(hddtemp_t) +@@ -38,12 +37,15 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) corenet_sendrecv_hddtemp_server_packets(hddtemp_t) corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) @@ -23880,11 +24547,31 @@ index c234b32..e91e051 100644 +optional_policy(` + sysnet_dns_name_resolve(hddtemp_t) +') +diff --git a/howl.te b/howl.te +index 6ad2d3c..2ef178b 100644 +--- a/howl.te ++++ b/howl.te +@@ -33,7 +33,6 @@ kernel_request_load_module(howl_t) + kernel_list_proc(howl_t) + kernel_read_proc_symlinks(howl_t) + +-corenet_all_recvfrom_unlabeled(howl_t) + corenet_all_recvfrom_netlabel(howl_t) + corenet_tcp_sendrecv_generic_if(howl_t) + corenet_udp_sendrecv_generic_if(howl_t) diff --git a/i18n_input.te b/i18n_input.te -index 5fc89c4..738c3e2 100644 +index 5fc89c4..15d18ae 100644 --- a/i18n_input.te +++ b/i18n_input.te -@@ -74,16 +74,7 @@ sysnet_read_config(i18n_input_t) +@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) + kernel_read_kernel_sysctls(i18n_input_t) + kernel_read_system_state(i18n_input_t) + +-corenet_all_recvfrom_unlabeled(i18n_input_t) + corenet_all_recvfrom_netlabel(i18n_input_t) + corenet_tcp_sendrecv_generic_if(i18n_input_t) + corenet_udp_sendrecv_generic_if(i18n_input_t) +@@ -74,16 +73,7 @@ sysnet_read_config(i18n_input_t) userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) userdom_read_user_home_content_files(i18n_input_t) @@ -24036,6 +24723,18 @@ index 8d455ba..58729cb 100644 -/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) +/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) +diff --git a/imaze.te b/imaze.te +index 0778af8..3a0bead 100644 +--- a/imaze.te ++++ b/imaze.te +@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(imazesrv_t) + kernel_list_proc(imazesrv_t) + kernel_read_proc_symlinks(imazesrv_t) + +-corenet_all_recvfrom_unlabeled(imazesrv_t) + corenet_all_recvfrom_netlabel(imazesrv_t) + corenet_tcp_sendrecv_generic_if(imazesrv_t) + corenet_udp_sendrecv_generic_if(imazesrv_t) diff --git a/inetd.fc b/inetd.fc index 39d5baa..4288778 100644 --- a/inetd.fc @@ -24064,7 +24763,7 @@ index df48e5e..161814e 100644 ######################################## diff --git a/inetd.te b/inetd.te -index 10f25d3..99e3a15 100644 +index 10f25d3..65e06e4 100644 --- a/inetd.te +++ b/inetd.te @@ -38,9 +38,9 @@ ifdef(`enable_mcs',` @@ -24079,7 +24778,15 @@ index 10f25d3..99e3a15 100644 allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket create_socket_perms; -@@ -89,16 +89,19 @@ corenet_tcp_bind_ftp_port(inetd_t) +@@ -65,7 +65,6 @@ kernel_tcp_recvfrom_unlabeled(inetd_t) + corecmd_bin_domtrans(inetd_t, inetd_child_t) + + # base networking: +-corenet_all_recvfrom_unlabeled(inetd_t) + corenet_all_recvfrom_netlabel(inetd_t) + corenet_tcp_sendrecv_generic_if(inetd_t) + corenet_udp_sendrecv_generic_if(inetd_t) +@@ -89,16 +88,19 @@ corenet_tcp_bind_ftp_port(inetd_t) corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) @@ -24101,7 +24808,7 @@ index 10f25d3..99e3a15 100644 corenet_tcp_bind_swat_port(inetd_t) corenet_udp_bind_swat_port(inetd_t) corenet_tcp_bind_telnetd_port(inetd_t) -@@ -119,7 +122,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t) +@@ -119,7 +121,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t) corenet_sendrecv_printer_server_packets(inetd_t) corenet_sendrecv_rsh_server_packets(inetd_t) corenet_sendrecv_rsync_server_packets(inetd_t) @@ -24110,7 +24817,7 @@ index 10f25d3..99e3a15 100644 corenet_sendrecv_swat_server_packets(inetd_t) corenet_sendrecv_tftp_server_packets(inetd_t) -@@ -137,7 +140,6 @@ corecmd_read_bin_symlinks(inetd_t) +@@ -137,7 +139,6 @@ corecmd_read_bin_symlinks(inetd_t) domain_use_interactive_fds(inetd_t) @@ -24118,7 +24825,7 @@ index 10f25d3..99e3a15 100644 files_read_etc_runtime_files(inetd_t) auth_use_nsswitch(inetd_t) -@@ -150,7 +152,10 @@ miscfiles_read_localization(inetd_t) +@@ -150,7 +151,10 @@ miscfiles_read_localization(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -24129,7 +24836,7 @@ index 10f25d3..99e3a15 100644 sysnet_read_config(inetd_t) -@@ -177,6 +182,10 @@ optional_policy(` +@@ -177,6 +181,10 @@ optional_policy(` ') optional_policy(` @@ -24140,7 +24847,15 @@ index 10f25d3..99e3a15 100644 udev_read_db(inetd_t) ') -@@ -223,7 +232,6 @@ dev_read_urand(inetd_child_t) +@@ -210,7 +218,6 @@ kernel_read_kernel_sysctls(inetd_child_t) + kernel_read_system_state(inetd_child_t) + kernel_read_network_state(inetd_child_t) + +-corenet_all_recvfrom_unlabeled(inetd_child_t) + corenet_all_recvfrom_netlabel(inetd_child_t) + corenet_tcp_sendrecv_generic_if(inetd_child_t) + corenet_udp_sendrecv_generic_if(inetd_child_t) +@@ -223,7 +230,6 @@ dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) @@ -24196,7 +24911,7 @@ index ebc9e0d..2c4b5da 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/inn.te b/inn.te -index 22f449a..ed1812b 100644 +index 22f449a..4d38202 100644 --- a/inn.te +++ b/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.1) @@ -24239,7 +24954,15 @@ index 22f449a..ed1812b 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +108,7 @@ sysnet_read_config(innd_t) +@@ -65,7 +68,6 @@ manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) + kernel_read_kernel_sysctls(innd_t) + kernel_read_system_state(innd_t) + +-corenet_all_recvfrom_unlabeled(innd_t) + corenet_all_recvfrom_netlabel(innd_t) + corenet_tcp_sendrecv_generic_if(innd_t) + corenet_udp_sendrecv_generic_if(innd_t) +@@ -105,6 +107,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -24301,7 +25024,7 @@ index 4f9dc90..81a0fc6 100644 + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --git a/irc.te b/irc.te -index 6e2dbd2..f174f68 100644 +index 6e2dbd2..8216600 100644 --- a/irc.te +++ b/irc.te @@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t) @@ -24337,7 +25060,15 @@ index 6e2dbd2..f174f68 100644 ######################################## # -@@ -83,20 +107,75 @@ seutil_use_newrole_fds(irc_t) +@@ -45,7 +69,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + + kernel_read_proc_symlinks(irc_t) + +-corenet_all_recvfrom_unlabeled(irc_t) + corenet_all_recvfrom_netlabel(irc_t) + corenet_tcp_sendrecv_generic_if(irc_t) + corenet_udp_sendrecv_generic_if(irc_t) +@@ -83,20 +106,75 @@ seutil_use_newrole_fds(irc_t) sysnet_read_config(irc_t) # Write to the user domain tty. @@ -24423,6 +25154,18 @@ index 6e2dbd2..f174f68 100644 - nis_use_ypbind(irc_t) + automount_dontaudit_getattr_tmp_dirs(irssi_t) ') +diff --git a/ircd.te b/ircd.te +index 75ab1e2..a65b1a3 100644 +--- a/ircd.te ++++ b/ircd.te +@@ -49,7 +49,6 @@ kernel_read_kernel_sysctls(ircd_t) + + corecmd_search_bin(ircd_t) + +-corenet_all_recvfrom_unlabeled(ircd_t) + corenet_all_recvfrom_netlabel(ircd_t) + corenet_tcp_sendrecv_generic_if(ircd_t) + corenet_udp_sendrecv_generic_if(ircd_t) diff --git a/irqbalance.te b/irqbalance.te index 9aeeaf9..3cf4e02 100644 --- a/irqbalance.te @@ -24463,7 +25206,7 @@ index 14d9670..6825edc 100644 +/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) diff --git a/iscsi.te b/iscsi.te -index 8bcfa2f..b3547c6 100644 +index 8bcfa2f..3e10359 100644 --- a/iscsi.te +++ b/iscsi.te @@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) @@ -24474,15 +25217,17 @@ index 8bcfa2f..b3547c6 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -66,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) +kernel_setsched(iscsid_t) - corenet_all_recvfrom_unlabeled(iscsid_t) +-corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -75,14 +75,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t) + corenet_tcp_sendrecv_generic_if(iscsid_t) + corenet_tcp_sendrecv_generic_node(iscsid_t) +@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t) corenet_tcp_connect_http_port(iscsid_t) corenet_tcp_connect_iscsi_port(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) @@ -24959,10 +25704,10 @@ index 9878499..8643cd3 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index 53e53ca..91bdd44 100644 +index 53e53ca..92520eb 100644 --- a/jabber.te +++ b/jabber.te -@@ -1,94 +1,154 @@ +@@ -1,94 +1,153 @@ -policy_module(jabber, 1.9.0) +policy_module(jabber, 1.8.0) @@ -25152,7 +25897,6 @@ index 53e53ca..91bdd44 100644 + +kernel_read_system_state(jabberd_domain) + -+corenet_all_recvfrom_unlabeled(jabberd_domain) +corenet_all_recvfrom_netlabel(jabberd_domain) +corenet_tcp_sendrecv_generic_if(jabberd_domain) +corenet_udp_sendrecv_generic_if(jabberd_domain) @@ -25175,7 +25919,7 @@ index 53e53ca..91bdd44 100644 + +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index 95771f4..41c2fa1 100644 +index 95771f4..9d7f599 100644 --- a/java.te +++ b/java.te @@ -10,7 +10,7 @@ policy_module(java, 2.5.1) @@ -25187,7 +25931,15 @@ index 95771f4..41c2fa1 100644 type java_t; type java_exec_t; -@@ -108,7 +108,7 @@ userdom_manage_user_home_content_sockets(java_t) +@@ -62,7 +62,6 @@ kernel_read_system_state(java_t) + # Search bin directory under java for java executable + corecmd_search_bin(java_t) + +-corenet_all_recvfrom_unlabeled(java_t) + corenet_all_recvfrom_netlabel(java_t) + corenet_tcp_sendrecv_generic_if(java_t) + corenet_udp_sendrecv_generic_if(java_t) +@@ -108,7 +107,7 @@ userdom_manage_user_home_content_sockets(java_t) userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) userdom_write_user_tmp_sockets(java_t) @@ -26134,10 +26886,10 @@ index 3525d24..ad19527 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..ebebcd5 100644 +index 604f67b..71b1df2 100644 --- a/kerberos.if +++ b/kerberos.if -@@ -84,7 +84,7 @@ interface(`kerberos_use',` +@@ -84,11 +84,10 @@ interface(`kerberos_use',` selinux_dontaudit_validate_context($1) seutil_dontaudit_read_file_contexts($1) @@ -26146,7 +26898,11 @@ index 604f67b..ebebcd5 100644 allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -103,11 +103,12 @@ interface(`kerberos_use',` +- corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) +@@ -103,11 +102,12 @@ interface(`kerberos_use',` corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) @@ -26161,7 +26917,7 @@ index 604f67b..ebebcd5 100644 pcscd_stream_connect($1) ') ') -@@ -218,6 +219,25 @@ interface(`kerberos_rw_keytab',` +@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',` ######################################## ## @@ -26187,7 +26943,7 @@ index 604f67b..ebebcd5 100644 ## Create a derived type for kerberos keytab ## ## -@@ -282,42 +302,21 @@ interface(`kerberos_manage_host_rcache',` +@@ -282,42 +301,21 @@ interface(`kerberos_manage_host_rcache',` # does not work in conditionals domain_obj_id_change_exemption($1) @@ -26233,7 +26989,7 @@ index 604f67b..ebebcd5 100644 ## All of the rules required to administrate ## an kerberos environment ## -@@ -338,18 +337,22 @@ interface(`kerberos_admin',` +@@ -338,18 +336,22 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -26261,7 +27017,7 @@ index 604f67b..ebebcd5 100644 ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -@@ -378,3 +381,114 @@ interface(`kerberos_admin',` +@@ -378,3 +380,114 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -26377,7 +27133,7 @@ index 604f67b..ebebcd5 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 8edc29b..86ba21b 100644 +index 8edc29b..9e9473d 100644 --- a/kerberos.te +++ b/kerberos.te @@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) @@ -26439,7 +27195,15 @@ index 8edc29b..86ba21b 100644 allow kadmind_t krb5kdc_principal_t:file manage_file_perms; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) -@@ -126,10 +127,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t) +@@ -115,7 +116,6 @@ kernel_read_network_state(kadmind_t) + kernel_read_proc_symlinks(kadmind_t) + kernel_read_system_state(kadmind_t) + +-corenet_all_recvfrom_unlabeled(kadmind_t) + corenet_all_recvfrom_netlabel(kadmind_t) + corenet_tcp_sendrecv_generic_if(kadmind_t) + corenet_udp_sendrecv_generic_if(kadmind_t) +@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) @@ -26453,7 +27217,7 @@ index 8edc29b..86ba21b 100644 dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) -@@ -149,6 +153,7 @@ selinux_validate_context(kadmind_t) +@@ -149,6 +152,7 @@ selinux_validate_context(kadmind_t) logging_send_syslog_msg(kadmind_t) @@ -26461,7 +27225,7 @@ index 8edc29b..86ba21b 100644 miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) -@@ -160,6 +165,14 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t) +@@ -160,6 +164,14 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_user_home_dirs(kadmind_t) optional_policy(` @@ -26476,7 +27240,7 @@ index 8edc29b..86ba21b 100644 nis_use_ypbind(kadmind_t) ') -@@ -193,13 +206,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +@@ -193,13 +205,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -26492,7 +27256,15 @@ index 8edc29b..86ba21b 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -249,6 +261,7 @@ selinux_validate_context(krb5kdc_t) +@@ -217,7 +228,6 @@ kernel_search_network_sysctl(krb5kdc_t) + + corecmd_exec_bin(krb5kdc_t) + +-corenet_all_recvfrom_unlabeled(krb5kdc_t) + corenet_all_recvfrom_netlabel(krb5kdc_t) + corenet_tcp_sendrecv_generic_if(krb5kdc_t) + corenet_udp_sendrecv_generic_if(krb5kdc_t) +@@ -249,6 +259,7 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) @@ -26500,7 +27272,7 @@ index 8edc29b..86ba21b 100644 miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) -@@ -260,6 +273,14 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) +@@ -260,6 +271,14 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_user_home_dirs(krb5kdc_t) optional_policy(` @@ -26515,6 +27287,14 @@ index 8edc29b..86ba21b 100644 nis_use_ypbind(krb5kdc_t) ') +@@ -300,7 +319,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + + corecmd_exec_bin(kpropd_t) + +-corenet_all_recvfrom_unlabeled(kpropd_t) + corenet_tcp_sendrecv_generic_if(kpropd_t) + corenet_tcp_sendrecv_generic_node(kpropd_t) + corenet_tcp_sendrecv_all_ports(kpropd_t) diff --git a/kerneloops.if b/kerneloops.if index 835b16b..8a98c76 100644 --- a/kerneloops.if @@ -26544,10 +27324,18 @@ index 835b16b..8a98c76 100644 admin_pattern($1, kerneloops_tmp_t) ') diff --git a/kerneloops.te b/kerneloops.te -index 6b35547..97b6483 100644 +index 6b35547..c52c60a 100644 --- a/kerneloops.te +++ b/kerneloops.te -@@ -40,7 +40,6 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t) +@@ -32,7 +32,6 @@ kernel_read_ring_buffer(kerneloops_t) + # Init script handling + domain_use_interactive_fds(kerneloops_t) + +-corenet_all_recvfrom_unlabeled(kerneloops_t) + corenet_all_recvfrom_netlabel(kerneloops_t) + corenet_tcp_sendrecv_generic_if(kerneloops_t) + corenet_tcp_sendrecv_generic_node(kerneloops_t) +@@ -40,7 +39,6 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t) corenet_tcp_bind_http_port(kerneloops_t) corenet_tcp_connect_http_port(kerneloops_t) @@ -26969,10 +27757,18 @@ index c18c920..582f7f3 100644 kismet_manage_pid_files($1) kismet_manage_lib($1) diff --git a/kismet.te b/kismet.te -index 9dd6880..cb634e4 100644 +index 9dd6880..ab842bd 100644 --- a/kismet.te +++ b/kismet.te -@@ -86,12 +86,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t) +@@ -74,7 +74,6 @@ kernel_read_network_state(kismet_t) + + corecmd_exec_bin(kismet_t) + +-corenet_all_recvfrom_unlabeled(kismet_t) + corenet_all_recvfrom_netlabel(kismet_t) + corenet_tcp_sendrecv_generic_if(kismet_t) + corenet_tcp_sendrecv_generic_node(kismet_t) +@@ -86,12 +85,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t) auth_use_nsswitch(kismet_t) @@ -27069,10 +27865,18 @@ index a73b7a1..9707887 100644 miscfiles_read_localization(ksmtuned_t) diff --git a/ktalk.te b/ktalk.te -index ca5cfdf..cdaeee8 100644 +index ca5cfdf..76d60be 100644 --- a/ktalk.te +++ b/ktalk.te -@@ -65,10 +65,9 @@ dev_read_urand(ktalkd_t) +@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ktalkd_t) + kernel_read_system_state(ktalkd_t) + kernel_read_network_state(ktalkd_t) + +-corenet_all_recvfrom_unlabeled(ktalkd_t) + corenet_all_recvfrom_netlabel(ktalkd_t) + corenet_tcp_sendrecv_generic_if(ktalkd_t) + corenet_udp_sendrecv_generic_if(ktalkd_t) +@@ -65,10 +64,9 @@ dev_read_urand(ktalkd_t) fs_getattr_xattr_fs(ktalkd_t) @@ -27349,10 +28153,10 @@ index 0000000..562d25b +') diff --git a/l2tpd.te b/l2tpd.te new file mode 100644 -index 0000000..1b720ad +index 0000000..20d7de2 --- /dev/null +++ b/l2tpd.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,100 @@ +policy_module(l2tpd, 1.0.0) + +######################################## @@ -27402,7 +28206,6 @@ index 0000000..1b720ad +manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) +files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) + -+corenet_all_recvfrom_unlabeled(l2tpd_t) +corenet_all_recvfrom_netlabel(l2tpd_t) +corenet_raw_sendrecv_generic_if(l2tpd_t) +corenet_tcp_sendrecv_generic_if(l2tpd_t) @@ -27609,7 +28412,7 @@ index 3aa8fa7..9539b76 100644 + allow $1 ldap_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 64fd1ff..fe76c32 100644 +index 64fd1ff..5e4a8db 100644 --- a/ldap.te +++ b/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -27646,7 +28449,7 @@ index 64fd1ff..fe76c32 100644 type slapd_var_run_t; files_pid_file(slapd_var_run_t) -@@ -67,13 +76,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +@@ -67,18 +76,25 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -27669,7 +28472,12 @@ index 64fd1ff..fe76c32 100644 kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) -@@ -100,12 +117,12 @@ fs_search_auto_mountpoints(slapd_t) + +-corenet_all_recvfrom_unlabeled(slapd_t) + corenet_all_recvfrom_netlabel(slapd_t) + corenet_tcp_sendrecv_generic_if(slapd_t) + corenet_udp_sendrecv_generic_if(slapd_t) +@@ -100,12 +116,12 @@ fs_search_auto_mountpoints(slapd_t) domain_use_interactive_fds(slapd_t) @@ -27683,7 +28491,7 @@ index 64fd1ff..fe76c32 100644 logging_send_syslog_msg(slapd_t) -@@ -117,6 +134,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) +@@ -117,6 +133,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) optional_policy(` kerberos_keytab_template(slapd, slapd_t) @@ -27721,7 +28529,7 @@ index 771e04b..81d98b3 100644 manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, file) diff --git a/likewise.te b/likewise.te -index 5ba6cc2..8df4b60 100644 +index 5ba6cc2..e3f65d6 100644 --- a/likewise.te +++ b/likewise.te @@ -17,7 +17,7 @@ type likewise_var_lib_t; @@ -27733,7 +28541,39 @@ index 5ba6cc2..8df4b60 100644 type likewise_krb5_ad_t; files_type(likewise_krb5_ad_t) -@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ +@@ -49,7 +49,6 @@ likewise_domain_template(srvsvcd) + stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + + corenet_all_recvfrom_netlabel(dcerpcd_t) +-corenet_all_recvfrom_unlabeled(dcerpcd_t) + corenet_sendrecv_generic_client_packets(dcerpcd_t) + corenet_sendrecv_generic_server_packets(dcerpcd_t) + corenet_tcp_sendrecv_generic_if(dcerpcd_t) +@@ -73,7 +72,6 @@ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dc + stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + + corenet_all_recvfrom_netlabel(eventlogd_t) +-corenet_all_recvfrom_unlabeled(eventlogd_t) + corenet_sendrecv_generic_server_packets(eventlogd_t) + corenet_tcp_sendrecv_generic_if(eventlogd_t) + corenet_tcp_sendrecv_generic_node(eventlogd_t) +@@ -116,7 +114,6 @@ corecmd_exec_bin(lsassd_t) + corecmd_exec_shell(lsassd_t) + + corenet_all_recvfrom_netlabel(lsassd_t) +-corenet_all_recvfrom_unlabeled(lsassd_t) + corenet_tcp_sendrecv_generic_if(lsassd_t) + corenet_tcp_sendrecv_generic_node(lsassd_t) + corenet_tcp_sendrecv_generic_port(lsassd_t) +@@ -165,7 +162,6 @@ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ + stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + + corenet_all_recvfrom_netlabel(lwiod_t) +-corenet_all_recvfrom_unlabeled(lwiod_t) + corenet_sendrecv_smbd_server_packets(lwiod_t) + corenet_sendrecv_smbd_client_packets(lwiod_t) + corenet_tcp_sendrecv_generic_if(lwiod_t) +@@ -205,7 +201,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ # Likewise DC location service local policy # @@ -27742,6 +28582,14 @@ index 5ba6cc2..8df4b60 100644 manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) +@@ -226,7 +222,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ + stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) + + corenet_all_recvfrom_netlabel(srvsvcd_t) +-corenet_all_recvfrom_unlabeled(srvsvcd_t) + corenet_sendrecv_generic_server_packets(srvsvcd_t) + corenet_tcp_sendrecv_generic_if(srvsvcd_t) + corenet_tcp_sendrecv_generic_node(srvsvcd_t) diff --git a/lircd.fc b/lircd.fc index 49e04e5..69db026 100644 --- a/lircd.fc @@ -28645,7 +29493,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..ce66d05 100644 +index a03b63a..bffcbdb 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -28665,7 +29513,7 @@ index a03b63a..ce66d05 100644 ######################################## # -@@ -78,7 +78,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) +@@ -78,12 +78,11 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) files_search_spool(checkpc_t) @@ -28674,7 +29522,12 @@ index a03b63a..ce66d05 100644 allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) -@@ -102,7 +102,6 @@ corecmd_exec_bin(checkpc_t) + +-corenet_all_recvfrom_unlabeled(checkpc_t) + corenet_all_recvfrom_netlabel(checkpc_t) + corenet_tcp_sendrecv_generic_if(checkpc_t) + corenet_udp_sendrecv_generic_if(checkpc_t) +@@ -102,7 +101,6 @@ corecmd_exec_bin(checkpc_t) domain_use_interactive_fds(checkpc_t) @@ -28682,7 +29535,7 @@ index a03b63a..ce66d05 100644 files_read_etc_runtime_files(checkpc_t) init_use_script_ptys(checkpc_t) -@@ -111,7 +110,7 @@ init_use_fds(checkpc_t) +@@ -111,7 +109,7 @@ init_use_fds(checkpc_t) sysnet_read_config(checkpc_t) @@ -28691,7 +29544,7 @@ index a03b63a..ce66d05 100644 optional_policy(` cron_system_entry(checkpc_t, checkpc_exec_t) -@@ -143,9 +142,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +@@ -143,9 +141,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) @@ -28703,7 +29556,15 @@ index a03b63a..ce66d05 100644 # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -@@ -197,7 +197,6 @@ files_list_var_lib(lpd_t) +@@ -163,7 +162,6 @@ kernel_read_kernel_sysctls(lpd_t) + # bash wants access to /proc/meminfo + kernel_read_system_state(lpd_t) + +-corenet_all_recvfrom_unlabeled(lpd_t) + corenet_all_recvfrom_netlabel(lpd_t) + corenet_tcp_sendrecv_generic_if(lpd_t) + corenet_udp_sendrecv_generic_if(lpd_t) +@@ -197,7 +195,6 @@ files_list_var_lib(lpd_t) files_read_var_lib_files(lpd_t) files_read_var_lib_symlinks(lpd_t) # config files for lpd are of type etc_t, probably should change this @@ -28711,15 +29572,18 @@ index a03b63a..ce66d05 100644 logging_send_syslog_msg(lpd_t) -@@ -236,6 +235,7 @@ can_exec(lpr_t, lpr_exec_t) +@@ -236,9 +233,9 @@ can_exec(lpr_t, lpr_exec_t) # Allow lpd to read, rename, and unlink spool files. allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; +kernel_read_system_state(lpr_t) kernel_read_kernel_sysctls(lpr_t) - corenet_all_recvfrom_unlabeled(lpr_t) -@@ -256,7 +256,6 @@ domain_use_interactive_fds(lpr_t) +-corenet_all_recvfrom_unlabeled(lpr_t) + corenet_all_recvfrom_netlabel(lpr_t) + corenet_tcp_sendrecv_generic_if(lpr_t) + corenet_udp_sendrecv_generic_if(lpr_t) +@@ -256,7 +253,6 @@ domain_use_interactive_fds(lpr_t) files_search_spool(lpr_t) # for lpd config files (should have a new type) @@ -28727,7 +29591,7 @@ index a03b63a..ce66d05 100644 # for test print files_read_usr_files(lpr_t) #Added to cover read_content macro -@@ -275,19 +274,21 @@ miscfiles_read_localization(lpr_t) +@@ -275,19 +271,21 @@ miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -28754,7 +29618,7 @@ index a03b63a..ce66d05 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +306,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +303,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -28773,7 +29637,7 @@ index a03b63a..ce66d05 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +315,13 @@ optional_policy(` +@@ -324,5 +312,13 @@ optional_policy(` ') optional_policy(` @@ -28833,10 +29697,18 @@ index 1083f98..c7daa85 100644 +/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ') diff --git a/mailman.if b/mailman.if -index 67c7fdd..77f20c3 100644 +index 67c7fdd..20fded2 100644 --- a/mailman.if +++ b/mailman.if -@@ -74,7 +74,7 @@ template(`mailman_domain_template', ` +@@ -54,7 +54,6 @@ template(`mailman_domain_template', ` + kernel_read_kernel_sysctls(mailman_$1_t) + kernel_read_system_state(mailman_$1_t) + +- corenet_all_recvfrom_unlabeled(mailman_$1_t) + corenet_all_recvfrom_netlabel(mailman_$1_t) + corenet_tcp_sendrecv_generic_if(mailman_$1_t) + corenet_udp_sendrecv_generic_if(mailman_$1_t) +@@ -74,7 +73,7 @@ template(`mailman_domain_template', ` corecmd_exec_all_executables(mailman_$1_t) files_exec_etc_files(mailman_$1_t) @@ -28845,7 +29717,7 @@ index 67c7fdd..77f20c3 100644 files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) -@@ -108,6 +108,31 @@ interface(`mailman_domtrans',` +@@ -108,6 +107,31 @@ interface(`mailman_domtrans',` domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) ') @@ -29947,10 +30819,18 @@ index db4fd6f..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index b681608..9ad4b2e 100644 +index b681608..27460d5 100644 --- a/memcached.te +++ b/memcached.te -@@ -42,12 +42,12 @@ corenet_udp_bind_memcache_port(memcached_t) +@@ -28,7 +28,6 @@ allow memcached_t self:udp_socket { create_socket_perms listen }; + allow memcached_t self:fifo_file rw_fifo_file_perms; + allow memcached_t self:unix_stream_socket create_stream_socket_perms; + +-corenet_all_recvfrom_unlabeled(memcached_t) + corenet_udp_sendrecv_generic_if(memcached_t) + corenet_udp_sendrecv_generic_node(memcached_t) + corenet_udp_sendrecv_all_ports(memcached_t) +@@ -42,12 +41,12 @@ corenet_udp_bind_memcache_port(memcached_t) manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) @@ -30848,6 +31728,18 @@ index dff0f12..ecab36d 100644 init_dbus_chat_script(mono_t) +diff --git a/monop.te b/monop.te +index 6647a35..4c5bf65 100644 +--- a/monop.te ++++ b/monop.te +@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(monopd_t) + kernel_list_proc(monopd_t) + kernel_read_proc_symlinks(monopd_t) + +-corenet_all_recvfrom_unlabeled(monopd_t) + corenet_all_recvfrom_netlabel(monopd_t) + corenet_tcp_sendrecv_generic_if(monopd_t) + corenet_udp_sendrecv_generic_if(monopd_t) diff --git a/mozilla.fc b/mozilla.fc index 3a73e74..60e7237 100644 --- a/mozilla.fc @@ -31168,7 +32060,7 @@ index b397fde..25a03ce 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..3488035 100644 +index 0724816..85fd964 100644 --- a/mozilla.te +++ b/mozilla.te @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) @@ -31224,7 +32116,15 @@ index 0724816..3488035 100644 type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -110,6 +130,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) +@@ -100,7 +120,6 @@ corecmd_exec_shell(mozilla_t) + corecmd_exec_bin(mozilla_t) + + # Browse the web, connect to printer +-corenet_all_recvfrom_unlabeled(mozilla_t) + corenet_all_recvfrom_netlabel(mozilla_t) + corenet_tcp_sendrecv_generic_if(mozilla_t) + corenet_raw_sendrecv_generic_if(mozilla_t) +@@ -110,6 +129,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) @@ -31232,7 +32132,7 @@ index 0724816..3488035 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -140,7 +161,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) +@@ -140,7 +160,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) @@ -31240,7 +32140,7 @@ index 0724816..3488035 100644 # /var/lib files_read_var_lib_files(mozilla_t) # interacting with gstreamer -@@ -155,38 +175,31 @@ fs_rw_tmpfs_files(mozilla_t) +@@ -155,38 +174,31 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -31288,7 +32188,7 @@ index 0724816..3488035 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -263,6 +276,7 @@ optional_policy(` +@@ -263,6 +275,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -31296,7 +32196,7 @@ index 0724816..3488035 100644 ') optional_policy(` -@@ -283,7 +297,8 @@ optional_policy(` +@@ -283,7 +296,8 @@ optional_policy(` ') optional_policy(` @@ -31306,7 +32206,7 @@ index 0724816..3488035 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,25 +312,35 @@ optional_policy(` +@@ -297,25 +311,35 @@ optional_policy(` # mozilla_plugin local policy # @@ -31350,7 +32250,7 @@ index 0724816..3488035 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -323,31 +348,48 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -323,31 +347,48 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -31406,7 +32306,7 @@ index 0724816..3488035 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -356,6 +398,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -356,6 +397,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -31414,7 +32314,7 @@ index 0724816..3488035 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,15 +406,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,15 +405,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -31438,7 +32338,7 @@ index 0724816..3488035 100644 logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -380,39 +431,29 @@ miscfiles_read_generic_certs(mozilla_plugin_t) +@@ -380,39 +430,29 @@ miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) @@ -31490,7 +32390,7 @@ index 0724816..3488035 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -422,24 +463,37 @@ optional_policy(` +@@ -422,24 +462,37 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -31532,7 +32432,7 @@ index 0724816..3488035 100644 ') optional_policy(` -@@ -447,10 +501,104 @@ optional_policy(` +@@ -447,10 +500,104 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -31665,7 +32565,7 @@ index d72276f..cb8c563 100644 mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/mpd.te b/mpd.te -index 7f68872..a683505 100644 +index 7f68872..42b966b 100644 --- a/mpd.te +++ b/mpd.te @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -31689,7 +32589,15 @@ index 7f68872..a683505 100644 manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t) +@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t) + + corecmd_exec_bin(mpd_t) + +-corenet_all_recvfrom_unlabeled(mpd_t) + corenet_all_recvfrom_netlabel(mpd_t) + corenet_tcp_sendrecv_generic_if(mpd_t) + corenet_tcp_sendrecv_generic_node(mpd_t) +@@ -103,6 +109,10 @@ logging_send_syslog_msg(mpd_t) miscfiles_read_localization(mpd_t) @@ -31700,7 +32608,7 @@ index 7f68872..a683505 100644 optional_policy(` alsa_read_rw_config(mpd_t) ') -@@ -122,5 +133,14 @@ optional_policy(` +@@ -122,5 +132,14 @@ optional_policy(` ') optional_policy(` @@ -31760,7 +32668,7 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/mplayer.te b/mplayer.te -index 0cdea57..85c6ad2 100644 +index 0cdea57..f84b0da 100644 --- a/mplayer.te +++ b/mplayer.te @@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0) @@ -31858,7 +32766,15 @@ index 0cdea57..85c6ad2 100644 manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -206,7 +168,6 @@ domain_use_interactive_fds(mplayer_t) +@@ -177,7 +139,6 @@ kernel_read_system_state(mplayer_t) + kernel_read_kernel_sysctls(mplayer_t) + + corenet_all_recvfrom_netlabel(mplayer_t) +-corenet_all_recvfrom_unlabeled(mplayer_t) + corenet_tcp_sendrecv_generic_if(mplayer_t) + corenet_tcp_sendrecv_generic_node(mplayer_t) + corenet_tcp_bind_generic_node(mplayer_t) +@@ -206,7 +167,6 @@ domain_use_interactive_fds(mplayer_t) # Access to DVD/CD/V4L storage_raw_read_removable_device(mplayer_t) @@ -31866,7 +32782,7 @@ index 0cdea57..85c6ad2 100644 files_dontaudit_list_non_security(mplayer_t) files_dontaudit_getattr_non_security_files(mplayer_t) files_read_non_security_files(mplayer_t) -@@ -222,10 +183,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) +@@ -222,10 +182,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) @@ -31882,7 +32798,7 @@ index 0cdea57..85c6ad2 100644 # Read media files userdom_list_user_tmp(mplayer_t) userdom_read_user_tmp_files(mplayer_t) -@@ -233,6 +198,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) +@@ -233,6 +197,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) userdom_read_user_home_content_files(mplayer_t) userdom_read_user_home_content_symlinks(mplayer_t) userdom_write_user_tmp_sockets(mplayer_t) @@ -31890,7 +32806,7 @@ index 0cdea57..85c6ad2 100644 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) -@@ -243,62 +209,31 @@ ifdef(`enable_mls',`',` +@@ -243,62 +208,31 @@ ifdef(`enable_mls',`',` fs_read_removable_symlinks(mplayer_t) ') @@ -31962,7 +32878,7 @@ index 0cdea57..85c6ad2 100644 optional_policy(` diff --git a/mrtg.te b/mrtg.te -index 0e19d80..7f822c5 100644 +index 0e19d80..1a53995 100644 --- a/mrtg.te +++ b/mrtg.te @@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) @@ -31978,7 +32894,15 @@ index 0e19d80..7f822c5 100644 manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) -@@ -88,7 +91,6 @@ files_getattr_tmp_dirs(mrtg_t) +@@ -62,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) + corecmd_exec_bin(mrtg_t) + corecmd_exec_shell(mrtg_t) + +-corenet_all_recvfrom_unlabeled(mrtg_t) + corenet_all_recvfrom_netlabel(mrtg_t) + corenet_tcp_sendrecv_generic_if(mrtg_t) + corenet_udp_sendrecv_generic_if(mrtg_t) +@@ -88,7 +90,6 @@ files_getattr_tmp_dirs(mrtg_t) # for uptime files_read_etc_runtime_files(mrtg_t) # read config files @@ -31986,7 +32910,7 @@ index 0e19d80..7f822c5 100644 fs_search_auto_mountpoints(mrtg_t) fs_getattr_xattr_fs(mrtg_t) -@@ -112,9 +114,10 @@ miscfiles_read_localization(mrtg_t) +@@ -112,9 +113,10 @@ miscfiles_read_localization(mrtg_t) selinux_dontaudit_getattr_dir(mrtg_t) @@ -32628,7 +33552,7 @@ index 4e2a5ba..68e2429 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index 25151b4..f16caa1 100644 +index 25151b4..507c17e 100644 --- a/mta.te +++ b/mta.te @@ -20,14 +20,19 @@ files_type(etc_aliases_t) @@ -32810,7 +33734,7 @@ index 25151b4..f16caa1 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,15 +222,16 @@ optional_policy(` +@@ -199,20 +222,23 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -32831,7 +33755,14 @@ index 25151b4..f16caa1 100644 ######################################## # # Mailserver delivery local policy -@@ -220,21 +244,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + # + ++allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms; ++ + allow mailserver_delivery mail_spool_t:dir list_dir_perms; + create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) + read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,21 +246,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -32858,7 +33789,7 @@ index 25151b4..f16caa1 100644 optional_policy(` dovecot_manage_spool(mailserver_delivery) -@@ -242,6 +258,10 @@ optional_policy(` +@@ -242,6 +260,10 @@ optional_policy(` ') optional_policy(` @@ -32869,7 +33800,7 @@ index 25151b4..f16caa1 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,6 +269,14 @@ optional_policy(` +@@ -249,6 +271,14 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -32884,7 +33815,7 @@ index 25151b4..f16caa1 100644 ######################################## # # User send mail local policy -@@ -256,9 +284,9 @@ optional_policy(` +@@ -256,9 +286,9 @@ optional_policy(` domain_use_interactive_fds(user_mail_t) @@ -32896,7 +33827,16 @@ index 25151b4..f16caa1 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) +@@ -270,6 +300,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery) + userdom_manage_user_home_content_pipes(mailserver_delivery) + userdom_manage_user_home_content_sockets(mailserver_delivery) + userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) ++allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; ++ + # Read user temporary files. + userdom_read_user_tmp_files(user_mail_t) + userdom_dontaudit_append_user_tmp_files(user_mail_t) +@@ -277,6 +309,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) # files in an appropriate place for mta_user_agent userdom_read_user_tmp_files(mta_user_agent) @@ -32905,7 +33845,7 @@ index 25151b4..f16caa1 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +322,123 @@ optional_policy(` +@@ -292,3 +326,122 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -32956,7 +33896,6 @@ index 25151b4..f16caa1 100644 +kernel_read_system_state(user_mail_domain) +kernel_read_kernel_sysctls(user_mail_domain) + -+corenet_all_recvfrom_unlabeled(user_mail_domain) +corenet_all_recvfrom_netlabel(user_mail_domain) +corenet_tcp_sendrecv_generic_if(user_mail_domain) +corenet_tcp_sendrecv_generic_node(user_mail_domain) @@ -33156,7 +34095,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..d6ebc6b 100644 +index f17583b..6fd4f42 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -33210,7 +34149,15 @@ index f17583b..d6ebc6b 100644 kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -101,7 +111,6 @@ dev_read_urand(munin_t) +@@ -82,7 +92,6 @@ kernel_read_all_sysctls(munin_t) + corecmd_exec_bin(munin_t) + corecmd_exec_shell(munin_t) + +-corenet_all_recvfrom_unlabeled(munin_t) + corenet_all_recvfrom_netlabel(munin_t) + corenet_tcp_sendrecv_generic_if(munin_t) + corenet_udp_sendrecv_generic_if(munin_t) +@@ -101,7 +110,6 @@ dev_read_urand(munin_t) domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) @@ -33218,7 +34165,7 @@ index f17583b..d6ebc6b 100644 files_read_etc_runtime_files(munin_t) files_read_usr_files(munin_t) files_list_spool(munin_t) -@@ -116,6 +125,7 @@ logging_read_all_logs(munin_t) +@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -33226,7 +34173,7 @@ index f17583b..d6ebc6b 100644 sysnet_exec_ifconfig(munin_t) -@@ -145,6 +155,7 @@ optional_policy(` +@@ -145,6 +154,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -33234,7 +34181,7 @@ index f17583b..d6ebc6b 100644 mta_read_queue(munin_t) ') -@@ -159,6 +170,7 @@ optional_policy(` +@@ -159,6 +169,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -33242,7 +34189,7 @@ index f17583b..d6ebc6b 100644 ') optional_policy(` -@@ -182,6 +194,7 @@ optional_policy(` +@@ -182,6 +193,7 @@ optional_policy(` # local policy for disk plugins # @@ -33250,7 +34197,7 @@ index f17583b..d6ebc6b 100644 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +203,14 @@ corecmd_exec_shell(disk_munin_plugin_t) +@@ -190,15 +202,14 @@ corecmd_exec_shell(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) @@ -33269,7 +34216,7 @@ index f17583b..d6ebc6b 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +233,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +232,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -33320,7 +34267,7 @@ index f17583b..d6ebc6b 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +280,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -33335,7 +34282,7 @@ index f17583b..d6ebc6b 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +301,10 @@ optional_policy(` +@@ -279,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -33346,7 +34293,7 @@ index f17583b..d6ebc6b 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +312,10 @@ optional_policy(` +@@ -286,6 +311,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -33357,7 +34304,7 @@ index f17583b..d6ebc6b 100644 ################################## # # local policy for system plugins -@@ -295,21 +325,52 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +324,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -33373,14 +34320,7 @@ index f17583b..d6ebc6b 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) - - domain_read_all_domains_state(system_munin_plugin_t) - -+auth_read_passwd(system_munin_plugin_t) -+ - # needed by users plugin - init_read_utmp(system_munin_plugin_t) - +@@ -313,3 +340,36 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -33410,6 +34350,8 @@ index f17583b..d6ebc6b 100644 + +fs_getattr_all_fs(munin_plugin_domain) + ++auth_read_passwd(munin_plugin_domain) ++ +miscfiles_read_localization(munin_plugin_domain) + +optional_policy(` @@ -33683,7 +34625,7 @@ index e9c0982..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 1cf05a3..7289391 100644 +index 1cf05a3..e4792ab 100644 --- a/mysql.te +++ b/mysql.te @@ -29,6 +29,12 @@ files_type(mysqld_db_t) @@ -33713,7 +34655,7 @@ index 1cf05a3..7289391 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,13 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,14 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -33722,21 +34664,22 @@ index 1cf05a3..7289391 100644 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) +files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) - -+userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + ++userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + +kernel_read_network_state(mysqld_t) kernel_read_system_state(mysqld_t) +kernel_read_network_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) +-corenet_all_recvfrom_unlabeled(mysqld_t) +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) + - corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -110,7 +125,6 @@ domain_use_interactive_fds(mysqld_t) + corenet_udp_sendrecv_generic_if(mysqld_t) +@@ -110,7 +124,6 @@ domain_use_interactive_fds(mysqld_t) files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) @@ -33744,7 +34687,7 @@ index 1cf05a3..7289391 100644 files_read_usr_files(mysqld_t) files_search_var_lib(mysqld_t) -@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t) +@@ -122,13 +135,8 @@ miscfiles_read_localization(mysqld_t) sysnet_read_config(mysqld_t) @@ -33759,7 +34702,7 @@ index 1cf05a3..7289391 100644 ') tunable_policy(`mysql_connect_any',` -@@ -154,10 +163,11 @@ optional_policy(` +@@ -154,10 +162,11 @@ optional_policy(` # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; @@ -33772,7 +34715,7 @@ index 1cf05a3..7289391 100644 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +180,33 @@ kernel_read_system_state(mysqld_safe_t) +@@ -170,26 +179,35 @@ kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) @@ -33789,9 +34732,11 @@ index 1cf05a3..7289391 100644 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +logging_send_syslog_msg(mysqld_safe_t) ++ ++auth_read_passwd(mysqld_safe_t) -hostname_exec(mysqld_safe_t) -+auth_read_passwd(mysqld_safe_t) ++domain_dontaudit_signull_all_domains(mysqld_safe_t) miscfiles_read_localization(mysqld_safe_t) @@ -33808,6 +34753,14 @@ index 1cf05a3..7289391 100644 ######################################## # # MySQL Manager Policy +@@ -218,7 +236,6 @@ kernel_read_system_state(mysqlmanagerd_t) + + corecmd_exec_shell(mysqlmanagerd_t) + +-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) + corenet_all_recvfrom_netlabel(mysqlmanagerd_t) + corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) + corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) @@ -231,7 +248,6 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) dev_read_urand(mysqlmanagerd_t) @@ -34029,7 +34982,7 @@ index 8581040..7d8e93b 100644 init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff --git a/nagios.te b/nagios.te -index 1fadd94..d680d93 100644 +index 1fadd94..b6eec03 100644 --- a/nagios.te +++ b/nagios.te @@ -1,10 +1,12 @@ @@ -34069,7 +35022,7 @@ index 1fadd94..d680d93 100644 type nagios_system_plugin_tmp_t; files_tmp_file(nagios_system_plugin_tmp_t) -@@ -77,8 +86,13 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file) +@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) @@ -34083,7 +35036,12 @@ index 1fadd94..d680d93 100644 corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) -@@ -103,17 +117,14 @@ domain_use_interactive_fds(nagios_t) + +-corenet_all_recvfrom_unlabeled(nagios_t) + corenet_all_recvfrom_netlabel(nagios_t) + corenet_tcp_sendrecv_generic_if(nagios_t) + corenet_udp_sendrecv_generic_if(nagios_t) +@@ -103,17 +116,14 @@ domain_use_interactive_fds(nagios_t) # for ps domain_read_all_domains_state(nagios_t) @@ -34102,7 +35060,7 @@ index 1fadd94..d680d93 100644 auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -124,10 +135,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) +@@ -124,10 +134,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) @@ -34115,7 +35073,7 @@ index 1fadd94..d680d93 100644 netutils_kill_ping(nagios_t) ') -@@ -143,6 +154,7 @@ optional_policy(` +@@ -143,6 +153,7 @@ optional_policy(` # # Nagios CGI local policy # @@ -34123,7 +35081,7 @@ index 1fadd94..d680d93 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -180,29 +192,31 @@ optional_policy(` +@@ -180,29 +191,30 @@ optional_policy(` # allow nrpe_t self:capability { setuid setgid }; @@ -34155,12 +35113,11 @@ index 1fadd94..d680d93 100644 corenet_tcp_bind_generic_node(nrpe_t) corenet_tcp_bind_inetd_child_port(nrpe_t) -corenet_sendrecv_unlabeled_packets(nrpe_t) -+corenet_all_recvfrom_unlabeled(nrpe_t) +corenet_all_recvfrom_netlabel(nrpe_t) dev_read_sysfs(nrpe_t) dev_read_urand(nrpe_t) -@@ -211,7 +225,7 @@ domain_use_interactive_fds(nrpe_t) +@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) @@ -34169,7 +35126,7 @@ index 1fadd94..d680d93 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -252,11 +266,9 @@ optional_policy(` +@@ -252,11 +264,9 @@ optional_policy(` corecmd_read_bin_files(nagios_admin_plugin_t) corecmd_read_bin_symlinks(nagios_admin_plugin_t) @@ -34181,7 +35138,7 @@ index 1fadd94..d680d93 100644 # for check_file_age plugin files_getattr_all_dirs(nagios_admin_plugin_t) files_getattr_all_files(nagios_admin_plugin_t) -@@ -271,20 +283,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -271,20 +281,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -34202,7 +35159,7 @@ index 1fadd94..d680d93 100644 logging_send_syslog_msg(nagios_mail_plugin_t) -@@ -300,7 +307,7 @@ optional_policy(` +@@ -300,7 +305,7 @@ optional_policy(` optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) @@ -34211,7 +35168,7 @@ index 1fadd94..d680d93 100644 ') ###################################### -@@ -311,7 +318,9 @@ optional_policy(` +@@ -311,7 +316,9 @@ optional_policy(` # needed by ioctl() allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; @@ -34222,7 +35179,7 @@ index 1fadd94..d680d93 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,11 +332,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,11 +330,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # local policy for service check plugins # @@ -34236,7 +35193,7 @@ index 1fadd94..d680d93 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -342,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -342,6 +349,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -34245,7 +35202,7 @@ index 1fadd94..d680d93 100644 ') optional_policy(` -@@ -365,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -365,6 +374,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -34254,7 +35211,7 @@ index 1fadd94..d680d93 100644 kernel_read_system_state(nagios_system_plugin_t) kernel_read_kernel_sysctls(nagios_system_plugin_t) -@@ -372,11 +385,13 @@ corecmd_exec_bin(nagios_system_plugin_t) +@@ -372,11 +383,13 @@ corecmd_exec_bin(nagios_system_plugin_t) corecmd_exec_shell(nagios_system_plugin_t) dev_read_sysfs(nagios_system_plugin_t) @@ -34270,7 +35227,7 @@ index 1fadd94..d680d93 100644 # needed by check_users plugin optional_policy(` -@@ -391,3 +406,52 @@ optional_policy(` +@@ -391,3 +404,52 @@ optional_policy(` optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -34561,6 +35518,18 @@ index f19ca0b..dfc1ba2 100644 + netutils_domtrans(ncftool_t) + #netutils_run(ncftool_t, ncftool_roles) ') +diff --git a/nessus.te b/nessus.te +index 4bfd50e..fcc4eba 100644 +--- a/nessus.te ++++ b/nessus.te +@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t) + # for nmap etc + corecmd_exec_bin(nessusd_t) + +-corenet_all_recvfrom_unlabeled(nessusd_t) + corenet_all_recvfrom_netlabel(nessusd_t) + corenet_tcp_sendrecv_generic_if(nessusd_t) + corenet_udp_sendrecv_generic_if(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc index 386543b..8fe1d63 100644 --- a/networkmanager.fc @@ -34775,7 +35744,7 @@ index 2324d9e..da61d01 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..a5b43fc 100644 +index 0619395..83f2ceb 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -34848,7 +35817,15 @@ index 0619395..a5b43fc 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) +@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t) + kernel_read_debugfs(NetworkManager_t) + kernel_rw_net_sysctls(NetworkManager_t) + +-corenet_all_recvfrom_unlabeled(NetworkManager_t) + corenet_all_recvfrom_netlabel(NetworkManager_t) + corenet_tcp_sendrecv_generic_if(NetworkManager_t) + corenet_udp_sendrecv_generic_if(NetworkManager_t) +@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) @@ -34862,7 +35839,7 @@ index 0619395..a5b43fc 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +146,10 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -34875,7 +35852,7 @@ index 0619395..a5b43fc 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -128,35 +161,44 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -34922,7 +35899,7 @@ index 0619395..a5b43fc 100644 ') optional_policy(` -@@ -176,10 +218,17 @@ optional_policy(` +@@ -176,10 +217,17 @@ optional_policy(` ') optional_policy(` @@ -34940,7 +35917,7 @@ index 0619395..a5b43fc 100644 ') ') -@@ -191,6 +240,7 @@ optional_policy(` +@@ -191,6 +239,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -34948,7 +35925,7 @@ index 0619395..a5b43fc 100644 ') optional_policy(` -@@ -202,23 +252,45 @@ optional_policy(` +@@ -202,23 +251,45 @@ optional_policy(` ') optional_policy(` @@ -34994,7 +35971,7 @@ index 0619395..a5b43fc 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +306,10 @@ optional_policy(` +@@ -234,6 +305,10 @@ optional_policy(` ') optional_policy(` @@ -35005,7 +35982,7 @@ index 0619395..a5b43fc 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +317,7 @@ optional_policy(` +@@ -241,6 +316,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -35013,7 +35990,7 @@ index 0619395..a5b43fc 100644 ') optional_policy(` -@@ -254,6 +331,10 @@ optional_policy(` +@@ -254,6 +330,10 @@ optional_policy(` ') optional_policy(` @@ -35024,7 +36001,7 @@ index 0619395..a5b43fc 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +344,7 @@ optional_policy(` +@@ -263,6 +343,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -35056,10 +36033,10 @@ index 632a565..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index abe3f7f..026e1e6 100644 +index abe3f7f..6b31271 100644 --- a/nis.if +++ b/nis.if -@@ -27,14 +27,11 @@ interface(`nis_use_ypbind_uncond',` +@@ -27,17 +27,21 @@ interface(`nis_use_ypbind_uncond',` gen_require(` type var_yp_t; ') @@ -35074,8 +36051,19 @@ index abe3f7f..026e1e6 100644 + allow $1 var_yp_t:lnk_file read_lnk_file_perms; allow $1 var_yp_t:file read_file_perms; - corenet_all_recvfrom_unlabeled($1) -@@ -49,14 +46,13 @@ interface(`nis_use_ypbind_uncond',` +- corenet_all_recvfrom_unlabeled($1) ++ #corenet_all_recvfrom_unlabeled($1) ++ # we now use an attribute in corenet_all_recvfrom_unlabeled() calling ++ kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) ++ kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) ++ kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) ++ kernel_raw_recvfrom_unlabeled(corenet_unlabeled_type) ++ kernel_recvfrom_unlabeled_peer(corenet_unlabeled_type) ++ + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) +@@ -49,14 +53,13 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -35093,7 +36081,7 @@ index abe3f7f..026e1e6 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) -@@ -88,7 +84,7 @@ interface(`nis_use_ypbind_uncond',` +@@ -88,7 +91,7 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` @@ -35102,7 +36090,7 @@ index abe3f7f..026e1e6 100644 nis_use_ypbind_uncond($1) ') ') -@@ -105,7 +101,7 @@ interface(`nis_use_ypbind',` +@@ -105,7 +108,7 @@ interface(`nis_use_ypbind',` ## # interface(`nis_authenticate',` @@ -35111,7 +36099,7 @@ index abe3f7f..026e1e6 100644 nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) -@@ -337,6 +333,55 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -337,6 +340,55 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -35167,7 +36155,7 @@ index abe3f7f..026e1e6 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,22 +399,31 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,22 +406,31 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -35206,7 +36194,7 @@ index abe3f7f..026e1e6 100644 ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) -@@ -379,18 +433,24 @@ interface(`nis_admin',` +@@ -379,18 +440,24 @@ interface(`nis_admin',` role_transition $2 ypbind_initrc_exec_t system_r; allow $2 system_r; @@ -35236,7 +36224,7 @@ index abe3f7f..026e1e6 100644 + ') diff --git a/nis.te b/nis.te -index 4caa041..b37c4ef 100644 +index 4caa041..0c2c426 100644 --- a/nis.te +++ b/nis.te @@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -35275,7 +36263,15 @@ index 4caa041..b37c4ef 100644 ######################################## # # ypbind local policy -@@ -156,6 +162,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -76,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) + kernel_read_system_state(ypbind_t) + kernel_read_kernel_sysctls(ypbind_t) + +-corenet_all_recvfrom_unlabeled(ypbind_t) + corenet_all_recvfrom_netlabel(ypbind_t) + corenet_tcp_sendrecv_generic_if(ypbind_t) + corenet_udp_sendrecv_generic_if(ypbind_t) +@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -35284,7 +36280,13 @@ index 4caa041..b37c4ef 100644 kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) -@@ -186,6 +194,7 @@ selinux_get_fs_mount(yppasswdd_t) + kernel_read_kernel_sysctls(yppasswdd_t) + +-corenet_all_recvfrom_unlabeled(yppasswdd_t) + corenet_all_recvfrom_netlabel(yppasswdd_t) + corenet_tcp_sendrecv_generic_if(yppasswdd_t) + corenet_udp_sendrecv_generic_if(yppasswdd_t) +@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) @@ -35292,7 +36294,7 @@ index 4caa041..b37c4ef 100644 auth_etc_filetrans_shadow(yppasswdd_t) corecmd_exec_bin(yppasswdd_t) -@@ -211,6 +220,10 @@ optional_policy(` +@@ -211,6 +218,10 @@ optional_policy(` ') optional_policy(` @@ -35303,6 +36305,22 @@ index 4caa041..b37c4ef 100644 seutil_sigchld_newrole(yppasswdd_t) ') +@@ -247,7 +258,6 @@ kernel_read_kernel_sysctls(ypserv_t) + kernel_list_proc(ypserv_t) + kernel_read_proc_symlinks(ypserv_t) + +-corenet_all_recvfrom_unlabeled(ypserv_t) + corenet_all_recvfrom_netlabel(ypserv_t) + corenet_tcp_sendrecv_generic_if(ypserv_t) + corenet_udp_sendrecv_generic_if(ypserv_t) +@@ -317,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; + manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) + files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(ypxfr_t) + corenet_all_recvfrom_netlabel(ypxfr_t) + corenet_tcp_sendrecv_generic_if(ypxfr_t) + corenet_udp_sendrecv_generic_if(ypxfr_t) diff --git a/nova.fc b/nova.fc new file mode 100644 index 0000000..02dc6dc @@ -35382,10 +36400,10 @@ index 0000000..0d11800 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..415b098 +index 0000000..ac55887 --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,327 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -35593,7 +36611,6 @@ index 0000000..415b098 +# dnsmasq domtrans does not work since then dnsmasq_t wants +# to do some stuff with nova_lib, nova_tmp +# nova-dhcpbridge runs in dnsmasq domain -+corenet_all_recvfrom_unlabeled(nova_network_t) +corenet_all_recvfrom_netlabel(nova_network_t) +corenet_tcp_sendrecv_generic_if(nova_network_t) +corenet_udp_sendrecv_generic_if(nova_network_t) @@ -35837,7 +36854,7 @@ index 85188dc..2b37836 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index 7936e09..d1861d5 100644 +index 7936e09..48a40f0 100644 --- a/nscd.te +++ b/nscd.te @@ -4,6 +4,13 @@ gen_require(` @@ -35881,7 +36898,15 @@ index 7936e09..d1861d5 100644 kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) -@@ -90,8 +102,8 @@ selinux_compute_create_context(nscd_t) +@@ -70,7 +82,6 @@ fs_list_inotifyfs(nscd_t) + auth_getattr_shadow(nscd_t) + auth_use_nsswitch(nscd_t) + +-corenet_all_recvfrom_unlabeled(nscd_t) + corenet_all_recvfrom_netlabel(nscd_t) + corenet_tcp_sendrecv_generic_if(nscd_t) + corenet_udp_sendrecv_generic_if(nscd_t) +@@ -90,8 +101,8 @@ selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -35891,7 +36916,7 @@ index 7936e09..d1861d5 100644 files_read_generic_tmp_symlinks(nscd_t) # Needed to read files created by firstboot "/etc/hesiod.conf" files_read_etc_runtime_files(nscd_t) -@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) +@@ -112,6 +123,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` @@ -35902,7 +36927,7 @@ index 7936e09..d1861d5 100644 cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +143,17 @@ optional_policy(` +@@ -127,3 +142,17 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -35939,7 +36964,7 @@ index 53cc800..5348e92 100644 -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/nsd.te b/nsd.te -index 4b15536..da79065 100644 +index 4b15536..2446617 100644 --- a/nsd.te +++ b/nsd.te @@ -18,15 +18,11 @@ domain_type(nsd_crond_t) @@ -35991,7 +37016,15 @@ index 4b15536..da79065 100644 can_exec(nsd_t, nsd_exec_t) -@@ -79,17 +74,19 @@ dev_read_sysfs(nsd_t) +@@ -61,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) + + corecmd_exec_bin(nsd_t) + +-corenet_all_recvfrom_unlabeled(nsd_t) + corenet_all_recvfrom_netlabel(nsd_t) + corenet_tcp_sendrecv_generic_if(nsd_t) + corenet_udp_sendrecv_generic_if(nsd_t) +@@ -79,17 +73,19 @@ dev_read_sysfs(nsd_t) domain_use_interactive_fds(nsd_t) @@ -36013,7 +37046,7 @@ index 4b15536..da79065 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -121,8 +118,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms; +@@ -121,8 +117,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms; allow nsd_crond_t nsd_conf_t:file read_file_perms; @@ -36022,7 +37055,15 @@ index 4b15536..da79065 100644 files_search_var_lib(nsd_crond_t) allow nsd_crond_t nsd_t:process signal; -@@ -155,10 +150,11 @@ dev_read_urand(nsd_crond_t) +@@ -139,7 +133,6 @@ kernel_read_system_state(nsd_crond_t) + corecmd_exec_bin(nsd_crond_t) + corecmd_exec_shell(nsd_crond_t) + +-corenet_all_recvfrom_unlabeled(nsd_crond_t) + corenet_all_recvfrom_netlabel(nsd_crond_t) + corenet_tcp_sendrecv_generic_if(nsd_crond_t) + corenet_udp_sendrecv_generic_if(nsd_crond_t) +@@ -155,10 +148,11 @@ dev_read_urand(nsd_crond_t) domain_dontaudit_read_all_domains_state(nsd_crond_t) @@ -36615,10 +37656,10 @@ index 0000000..fce899a +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..d19d3da +index 0000000..a217e56 --- /dev/null +++ b/nsplugin.te -@@ -0,0 +1,326 @@ +@@ -0,0 +1,325 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -36714,7 +37755,6 @@ index 0000000..d19d3da +corecmd_exec_bin(nsplugin_t) +corecmd_exec_shell(nsplugin_t) + -+corenet_all_recvfrom_unlabeled(nsplugin_t) +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) +corenet_tcp_connect_streaming_port(nsplugin_t) @@ -36946,10 +37986,18 @@ index 0000000..d19d3da + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index ded9fb6..2d30258 100644 +index ded9fb6..e4beebd 100644 --- a/ntop.te +++ b/ntop.te -@@ -85,7 +85,6 @@ dev_rw_generic_usb_dev(ntop_t) +@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t) + kernel_list_proc(ntop_t) + kernel_read_proc_symlinks(ntop_t) + +-corenet_all_recvfrom_unlabeled(ntop_t) + corenet_all_recvfrom_netlabel(ntop_t) + corenet_tcp_sendrecv_generic_if(ntop_t) + corenet_udp_sendrecv_generic_if(ntop_t) +@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t) domain_use_interactive_fds(ntop_t) @@ -37078,7 +38126,7 @@ index e80f8c0..0044e73 100644 + allow $1 ntpd_unit_file_t:service all_service_perms; ') diff --git a/ntp.te b/ntp.te -index c61adc8..b3dd6cc 100644 +index c61adc8..b374876 100644 --- a/ntp.te +++ b/ntp.te @@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) @@ -37091,7 +38139,15 @@ index c61adc8..b3dd6cc 100644 type ntpd_key_t; files_type(ntpd_key_t) -@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) +@@ -78,7 +81,6 @@ kernel_read_system_state(ntpd_t) + kernel_read_network_state(ntpd_t) + kernel_request_load_module(ntpd_t) + +-corenet_all_recvfrom_unlabeled(ntpd_t) + corenet_all_recvfrom_netlabel(ntpd_t) + corenet_tcp_sendrecv_generic_if(ntpd_t) + corenet_udp_sendrecv_generic_if(ntpd_t) +@@ -96,11 +98,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) @@ -37107,7 +38163,7 @@ index c61adc8..b3dd6cc 100644 auth_use_nsswitch(ntpd_t) -@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t) +@@ -110,7 +116,6 @@ corecmd_exec_shell(ntpd_t) domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) @@ -37270,7 +38326,7 @@ index 0a929ef..371119d 100644 /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) diff --git a/nut.te b/nut.te -index ff962dd..c4ee72c 100644 +index ff962dd..34f9ac8 100644 --- a/nut.te +++ b/nut.te @@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t) @@ -37289,6 +38345,14 @@ index ff962dd..c4ee72c 100644 dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) +@@ -157,7 +159,6 @@ optional_policy(` + + read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) + +- corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) diff --git a/nx.if b/nx.if index 79a225c..d82b231 100644 --- a/nx.if @@ -37338,7 +38402,7 @@ index 79a225c..d82b231 100644 + filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") +') diff --git a/nx.te b/nx.te -index 58e2972..5aff5a5 100644 +index 58e2972..842affd 100644 --- a/nx.te +++ b/nx.te @@ -28,6 +28,9 @@ files_type(nx_server_var_lib_t) @@ -37370,6 +38434,14 @@ index 58e2972..5aff5a5 100644 kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) +@@ -58,7 +64,6 @@ kernel_read_kernel_sysctls(nx_server_t) + corecmd_exec_shell(nx_server_t) + corecmd_exec_bin(nx_server_t) + +-corenet_all_recvfrom_unlabeled(nx_server_t) + corenet_all_recvfrom_netlabel(nx_server_t) + corenet_tcp_sendrecv_generic_if(nx_server_t) + corenet_udp_sendrecv_generic_if(nx_server_t) diff --git a/oav.fc b/oav.fc index 0a66474..cf90b6e 100644 --- a/oav.fc @@ -37381,10 +38453,18 @@ index 0a66474..cf90b6e 100644 -/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) +/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/oav.te b/oav.te -index b4c5f86..0f1549d 100644 +index b4c5f86..3611887 100644 --- a/oav.te +++ b/oav.te -@@ -66,7 +66,7 @@ logging_send_syslog_msg(oav_update_t) +@@ -48,7 +48,6 @@ read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) + + corecmd_exec_all_executables(oav_update_t) + +-corenet_all_recvfrom_unlabeled(oav_update_t) + corenet_all_recvfrom_netlabel(oav_update_t) + corenet_tcp_sendrecv_generic_if(oav_update_t) + corenet_udp_sendrecv_generic_if(oav_update_t) +@@ -66,7 +65,7 @@ logging_send_syslog_msg(oav_update_t) sysnet_read_config(oav_update_t) @@ -37393,6 +38473,14 @@ index b4c5f86..0f1549d 100644 optional_policy(` cron_system_entry(oav_update_t, oav_update_exec_t) +@@ -101,7 +100,6 @@ kernel_read_kernel_sysctls(scannerdaemon_t) + # Can run kaffe + corecmd_exec_all_executables(scannerdaemon_t) + +-corenet_all_recvfrom_unlabeled(scannerdaemon_t) + corenet_all_recvfrom_netlabel(scannerdaemon_t) + corenet_tcp_sendrecv_generic_if(scannerdaemon_t) + corenet_udp_sendrecv_generic_if(scannerdaemon_t) diff --git a/obex.fc b/obex.fc new file mode 100644 index 0000000..7b31529 @@ -37684,10 +38772,10 @@ index bb4fae5..4dfed8a 100644 + admin_pattern($1, oidentd_config_t) +') diff --git a/oident.te b/oident.te -index 8845174..958f719 100644 +index 8845174..9a1de6b 100644 --- a/oident.te +++ b/oident.te -@@ -26,10 +26,10 @@ files_config_file(oidentd_config_t) +@@ -26,15 +26,14 @@ files_config_file(oidentd_config_t) # allow oidentd_t self:capability { setuid setgid }; @@ -37702,7 +38790,12 @@ index 8845174..958f719 100644 allow oidentd_t self:unix_dgram_socket { create connect }; allow oidentd_t oidentd_config_t:file read_file_perms; -@@ -59,17 +59,4 @@ miscfiles_read_localization(oidentd_t) + +-corenet_all_recvfrom_unlabeled(oidentd_t) + corenet_all_recvfrom_netlabel(oidentd_t) + corenet_tcp_sendrecv_generic_if(oidentd_t) + corenet_tcp_sendrecv_generic_node(oidentd_t) +@@ -59,17 +58,4 @@ miscfiles_read_localization(oidentd_t) sysnet_read_config(oidentd_t) oident_read_user_content(oidentd_t) @@ -38001,7 +39094,7 @@ index d883214..d6afa87 100644 init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff --git a/openvpn.te b/openvpn.te -index 66a52ee..1c35dd9 100644 +index 66a52ee..4ca43aa 100644 --- a/openvpn.te +++ b/openvpn.te @@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t) @@ -38051,7 +39144,7 @@ index 66a52ee..1c35dd9 100644 manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) -@@ -68,6 +77,7 @@ kernel_read_kernel_sysctls(openvpn_t) +@@ -68,11 +77,11 @@ kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) @@ -38059,7 +39152,12 @@ index 66a52ee..1c35dd9 100644 corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -87,6 +97,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) + +-corenet_all_recvfrom_unlabeled(openvpn_t) + corenet_all_recvfrom_netlabel(openvpn_t) + corenet_tcp_sendrecv_generic_if(openvpn_t) + corenet_udp_sendrecv_generic_if(openvpn_t) +@@ -87,6 +96,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) corenet_tcp_bind_http_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) @@ -38067,7 +39165,7 @@ index 66a52ee..1c35dd9 100644 corenet_tcp_connect_http_cache_port(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) -@@ -100,33 +111,40 @@ dev_read_urand(openvpn_t) +@@ -100,33 +110,40 @@ dev_read_urand(openvpn_t) files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) @@ -38116,7 +39214,7 @@ index 66a52ee..1c35dd9 100644 optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) -@@ -138,3 +156,7 @@ optional_policy(` +@@ -138,3 +155,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -38468,7 +39566,7 @@ index 8ac407e..45673ad 100644 admin_pattern($1, pads_config_t) ') diff --git a/pads.te b/pads.te -index b246bdd..3036f80 100644 +index b246bdd..99f27c0 100644 --- a/pads.te +++ b/pads.te @@ -25,10 +25,11 @@ files_pid_file(pads_var_run_t) @@ -38487,7 +39585,7 @@ index b246bdd..3036f80 100644 allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) -@@ -37,6 +38,7 @@ allow pads_t pads_var_run_t:file manage_file_perms; +@@ -37,10 +38,10 @@ allow pads_t pads_var_run_t:file manage_file_perms; files_pid_filetrans(pads_t, pads_var_run_t, file) kernel_read_sysctl(pads_t) @@ -38495,7 +39593,11 @@ index b246bdd..3036f80 100644 corecmd_search_bin(pads_t) -@@ -48,6 +50,7 @@ corenet_tcp_connect_prelude_port(pads_t) +-corenet_all_recvfrom_unlabeled(pads_t) + corenet_all_recvfrom_netlabel(pads_t) + corenet_tcp_sendrecv_generic_if(pads_t) + corenet_tcp_sendrecv_generic_node(pads_t) +@@ -48,6 +49,7 @@ corenet_tcp_connect_prelude_port(pads_t) dev_read_rand(pads_t) dev_read_urand(pads_t) @@ -38503,6 +39605,23 @@ index b246bdd..3036f80 100644 files_read_etc_files(pads_t) files_search_spool(pads_t) +diff --git a/passenger.fc b/passenger.fc +index 545518d..e275c31 100644 +--- a/passenger.fc ++++ b/passenger.fc +@@ -3,6 +3,12 @@ + /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + ++/usr/local/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++ + /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + + /var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) diff --git a/passenger.if b/passenger.if index f68b573..95efca0 100644 --- a/passenger.if @@ -38598,7 +39717,7 @@ index f68b573..95efca0 100644 + allow $1 passenger_t:unix_stream_socket connectto; +') diff --git a/passenger.te b/passenger.te -index 3470036..2cf8a53 100644 +index 3470036..ef09491 100644 --- a/passenger.te +++ b/passenger.te @@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t) @@ -38610,7 +39729,7 @@ index 3470036..2cf8a53 100644 allow passenger_t self:process { setpgid setsched sigkill signal }; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -49,11 +49,15 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -38622,7 +39741,12 @@ index 3470036..2cf8a53 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -63,10 +68,14 @@ corecmd_exec_shell(passenger_t) + corenet_all_recvfrom_netlabel(passenger_t) +-corenet_all_recvfrom_unlabeled(passenger_t) + corenet_tcp_sendrecv_generic_if(passenger_t) + corenet_tcp_sendrecv_generic_node(passenger_t) + corenet_tcp_connect_http_port(passenger_t) +@@ -63,10 +67,14 @@ corecmd_exec_shell(passenger_t) dev_read_urand(passenger_t) @@ -38638,7 +39762,7 @@ index 3470036..2cf8a53 100644 miscfiles_read_localization(passenger_t) userdom_dontaudit_use_user_terminals(passenger_t) -@@ -75,3 +84,9 @@ optional_policy(` +@@ -75,3 +83,9 @@ optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) ') @@ -38710,7 +39834,7 @@ index 1c2a091..3ead3cc 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index ceafba6..a401838 100644 +index ceafba6..dbf1b71 100644 --- a/pcscd.te +++ b/pcscd.te @@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms; @@ -38721,7 +39845,15 @@ index ceafba6..a401838 100644 manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -77,3 +78,7 @@ optional_policy(` +@@ -34,7 +35,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + + kernel_read_system_state(pcscd_t) + +-corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) + corenet_tcp_sendrecv_generic_if(pcscd_t) + corenet_tcp_sendrecv_generic_node(pcscd_t) +@@ -77,3 +77,7 @@ optional_policy(` optional_policy(` rpm_use_script_fds(pcscd_t) ') @@ -38730,7 +39862,7 @@ index ceafba6..a401838 100644 + udev_read_db(pcscd_t) +') diff --git a/pegasus.te b/pegasus.te -index 3185114..6fc91e8 100644 +index 3185114..e196595 100644 --- a/pegasus.te +++ b/pegasus.te @@ -16,7 +16,7 @@ type pegasus_tmp_t; @@ -38760,7 +39892,7 @@ index 3185114..6fc91e8 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -@@ -56,15 +56,19 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +@@ -56,17 +56,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) @@ -38780,9 +39912,11 @@ index 3185114..6fc91e8 100644 +kernel_read_xen_state(pegasus_t) +kernel_write_xen_state(pegasus_t) - corenet_all_recvfrom_unlabeled(pegasus_t) +-corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,11 +99,11 @@ files_getattr_all_dirs(pegasus_t) + corenet_tcp_sendrecv_generic_if(pegasus_t) + corenet_tcp_sendrecv_generic_node(pegasus_t) +@@ -95,11 +98,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -38795,7 +39929,7 @@ index 3185114..6fc91e8 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) -@@ -121,10 +125,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +@@ -121,10 +124,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_user_home_dirs(pegasus_t) optional_policy(` @@ -38826,7 +39960,7 @@ index 3185114..6fc91e8 100644 seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +160,14 @@ optional_policy(` +@@ -136,3 +159,14 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -38841,6 +39975,18 @@ index 3185114..6fc91e8 100644 + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') +diff --git a/perdition.te b/perdition.te +index 3636277..9432a3c 100644 +--- a/perdition.te ++++ b/perdition.te +@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(perdition_t) + kernel_list_proc(perdition_t) + kernel_read_proc_symlinks(perdition_t) + +-corenet_all_recvfrom_unlabeled(perdition_t) + corenet_all_recvfrom_netlabel(perdition_t) + corenet_tcp_sendrecv_generic_if(perdition_t) + corenet_udp_sendrecv_generic_if(perdition_t) diff --git a/phpfpm.fc b/phpfpm.fc new file mode 100644 index 0000000..4c64b13 @@ -39354,10 +40500,10 @@ index 0000000..548d0a2 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..5b95ff5 +index 0000000..925b0a2 --- /dev/null +++ b/piranha.te -@@ -0,0 +1,300 @@ +@@ -0,0 +1,299 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -39637,7 +40783,6 @@ index 0000000..5b95ff5 +kernel_read_system_state(piranha_domain) +kernel_read_network_state(piranha_domain) + -+corenet_all_recvfrom_unlabeled(piranha_domain) +corenet_all_recvfrom_netlabel(piranha_domain) +corenet_tcp_sendrecv_generic_if(piranha_domain) +corenet_udp_sendrecv_generic_if(piranha_domain) @@ -40595,10 +41740,10 @@ index 0000000..d00f6ba +') diff --git a/polipo.te b/polipo.te new file mode 100644 -index 0000000..781625a +index 0000000..00b432b --- /dev/null +++ b/polipo.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,171 @@ +policy_module(polipo, 1.0.0) + +######################################## @@ -40697,7 +41842,6 @@ index 0000000..781625a +allow polipo_daemon self:tcp_socket { listen accept }; + +corenet_all_recvfrom_netlabel(polipo_daemon) -+corenet_all_recvfrom_unlabeled(polipo_daemon) +corenet_tcp_bind_generic_node(polipo_daemon) +corenet_tcp_sendrecv_generic_if(polipo_daemon) +corenet_tcp_sendrecv_generic_node(polipo_daemon) @@ -40785,7 +41929,7 @@ index 1d5b4e5..a79acdd 100644 /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) diff --git a/portage.if b/portage.if -index b4bb48a..7098ded 100644 +index b4bb48a..b52100d 100644 --- a/portage.if +++ b/portage.if @@ -43,11 +43,15 @@ interface(`portage_domtrans',` @@ -40807,8 +41951,16 @@ index b4bb48a..7098ded 100644 ') ######################################## +@@ -139,7 +143,6 @@ interface(`portage_compile_domain',` + # really shouldnt need this but some packages test + # network access, such as during configure + # also distcc--need to reinvestigate confining distcc client +- corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) diff --git a/portage.te b/portage.te -index 2af04b9..f726e1d 100644 +index 2af04b9..7255594 100644 --- a/portage.te +++ b/portage.te @@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) @@ -40938,7 +42090,15 @@ index 2af04b9..f726e1d 100644 ifdef(`TODO',` # seems to work ok without these -@@ -302,11 +316,9 @@ miscfiles_read_localization(portage_fetch_t) +@@ -265,7 +279,6 @@ kernel_read_kernel_sysctls(portage_fetch_t) + corecmd_exec_bin(portage_fetch_t) + corecmd_exec_shell(portage_fetch_t) + +-corenet_all_recvfrom_unlabeled(portage_fetch_t) + corenet_all_recvfrom_netlabel(portage_fetch_t) + corenet_tcp_sendrecv_generic_if(portage_fetch_t) + corenet_tcp_sendrecv_generic_node(portage_fetch_t) +@@ -302,11 +315,9 @@ miscfiles_read_localization(portage_fetch_t) sysnet_read_config(portage_fetch_t) sysnet_dns_name_resolve(portage_fetch_t) @@ -40951,7 +42111,7 @@ index 2af04b9..f726e1d 100644 ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') -@@ -322,6 +334,10 @@ optional_policy(` +@@ -322,6 +333,10 @@ optional_policy(` gpg_exec(portage_fetch_t) ') @@ -40976,10 +42136,18 @@ index 3cdcd9f..2061efe 100644 /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) diff --git a/portmap.te b/portmap.te -index c1db652..faa16a6 100644 +index c1db652..068c887 100644 --- a/portmap.te +++ b/portmap.te -@@ -73,7 +73,8 @@ fs_search_auto_mountpoints(portmap_t) +@@ -43,7 +43,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) + kernel_read_system_state(portmap_t) + kernel_read_kernel_sysctls(portmap_t) + +-corenet_all_recvfrom_unlabeled(portmap_t) + corenet_all_recvfrom_netlabel(portmap_t) + corenet_tcp_sendrecv_generic_if(portmap_t) + corenet_udp_sendrecv_generic_if(portmap_t) +@@ -73,7 +72,8 @@ fs_search_auto_mountpoints(portmap_t) domain_use_interactive_fds(portmap_t) @@ -40989,7 +42157,15 @@ index c1db652..faa16a6 100644 logging_send_syslog_msg(portmap_t) -@@ -133,7 +134,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t) +@@ -113,7 +113,6 @@ allow portmap_helper_t self:udp_socket create_socket_perms; + allow portmap_helper_t portmap_var_run_t:file manage_file_perms; + files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(portmap_helper_t) + corenet_all_recvfrom_netlabel(portmap_helper_t) + corenet_tcp_sendrecv_generic_if(portmap_helper_t) + corenet_udp_sendrecv_generic_if(portmap_helper_t) +@@ -133,7 +132,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t) domain_dontaudit_use_interactive_fds(portmap_helper_t) @@ -40997,7 +42173,7 @@ index c1db652..faa16a6 100644 files_rw_generic_pids(portmap_helper_t) init_rw_utmp(portmap_helper_t) -@@ -142,7 +142,7 @@ logging_send_syslog_msg(portmap_helper_t) +@@ -142,7 +140,7 @@ logging_send_syslog_msg(portmap_helper_t) sysnet_read_config(portmap_helper_t) @@ -41041,7 +42217,7 @@ index 7719d16..d283895 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 152af92..1594066 100644 +index 152af92..d67fea5 100644 --- a/portreserve.te +++ b/portreserve.te @@ -13,7 +13,7 @@ type portreserve_initrc_exec_t; @@ -41053,11 +42229,27 @@ index 152af92..1594066 100644 type portreserve_var_run_t; files_pid_file(portreserve_var_run_t) +@@ -42,7 +42,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } + + corecmd_getattr_bin_files(portreserve_t) + +-corenet_all_recvfrom_unlabeled(portreserve_t) + corenet_all_recvfrom_netlabel(portreserve_t) + corenet_tcp_bind_generic_node(portreserve_t) + corenet_udp_bind_generic_node(portreserve_t) diff --git a/portslave.te b/portslave.te -index 69c331e..0555635 100644 +index 69c331e..528f2d8 100644 --- a/portslave.te +++ b/portslave.te -@@ -79,7 +79,7 @@ fs_getattr_xattr_fs(portslave_t) +@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(portslave_t) + corecmd_exec_bin(portslave_t) + corecmd_exec_shell(portslave_t) + +-corenet_all_recvfrom_unlabeled(portslave_t) + corenet_all_recvfrom_netlabel(portslave_t) + corenet_tcp_sendrecv_generic_if(portslave_t) + corenet_udp_sendrecv_generic_if(portslave_t) +@@ -79,7 +78,7 @@ fs_getattr_xattr_fs(portslave_t) term_use_unallocated_ttys(portslave_t) term_setattr_unallocated_ttys(portslave_t) @@ -41112,7 +42304,7 @@ index 1ddfa16..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/postfix.if b/postfix.if -index 46bee12..eccdc20 100644 +index 46bee12..61cc81a 100644 --- a/postfix.if +++ b/postfix.if @@ -28,75 +28,19 @@ interface(`postfix_stub',` @@ -41206,7 +42398,15 @@ index 46bee12..eccdc20 100644 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; -@@ -165,6 +109,8 @@ template(`postfix_user_domain_template',` +@@ -126,7 +70,6 @@ template(`postfix_server_domain_template',` + + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + +- corenet_all_recvfrom_unlabeled(postfix_$1_t) + corenet_all_recvfrom_netlabel(postfix_$1_t) + corenet_tcp_sendrecv_generic_if(postfix_$1_t) + corenet_udp_sendrecv_generic_if(postfix_$1_t) +@@ -165,6 +108,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) @@ -41215,7 +42415,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -215,7 +161,7 @@ interface(`postfix_config_filetrans',` +@@ -215,7 +160,7 @@ interface(`postfix_config_filetrans',` ') files_search_etc($1) @@ -41224,7 +42424,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -272,7 +218,8 @@ interface(`postfix_read_local_state',` +@@ -272,7 +217,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -41234,7 +42434,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -290,7 +237,27 @@ interface(`postfix_read_master_state',` +@@ -290,7 +236,27 @@ interface(`postfix_read_master_state',` type postfix_master_t; ') @@ -41263,7 +42463,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -376,6 +343,25 @@ interface(`postfix_domtrans_master',` +@@ -376,6 +342,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -41289,7 +42489,7 @@ index 46bee12..eccdc20 100644 ######################################## ## ## Execute the master postfix program in the -@@ -404,7 +390,6 @@ interface(`postfix_exec_master',` +@@ -404,7 +389,6 @@ interface(`postfix_exec_master',` ## Domain allowed access. ## ## @@ -41297,7 +42497,7 @@ index 46bee12..eccdc20 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -416,6 +401,24 @@ interface(`postfix_stream_connect_master',` +@@ -416,6 +400,24 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -41322,7 +42522,7 @@ index 46bee12..eccdc20 100644 ## Execute the master postdrop in the ## postfix_postdrop domain. ## -@@ -462,7 +465,7 @@ interface(`postfix_domtrans_postqueue',` +@@ -462,7 +464,7 @@ interface(`postfix_domtrans_postqueue',` ## ## # @@ -41331,7 +42531,7 @@ index 46bee12..eccdc20 100644 gen_require(` type postfix_postqueue_exec_t; ') -@@ -529,6 +532,25 @@ interface(`postfix_domtrans_smtp',` +@@ -529,6 +531,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -41357,7 +42557,7 @@ index 46bee12..eccdc20 100644 ## Search postfix mail spool directories. ## ## -@@ -539,10 +561,10 @@ interface(`postfix_domtrans_smtp',` +@@ -539,10 +560,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -41370,7 +42570,7 @@ index 46bee12..eccdc20 100644 files_search_spool($1) ') -@@ -558,10 +580,10 @@ interface(`postfix_search_spool',` +@@ -558,10 +579,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -41383,7 +42583,7 @@ index 46bee12..eccdc20 100644 files_search_spool($1) ') -@@ -577,11 +599,11 @@ interface(`postfix_list_spool',` +@@ -577,11 +598,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -41397,7 +42597,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -596,11 +618,11 @@ interface(`postfix_read_spool_files',` +@@ -596,11 +617,11 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -41411,7 +42611,7 @@ index 46bee12..eccdc20 100644 ') ######################################## -@@ -621,3 +643,155 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +642,155 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -41568,7 +42768,7 @@ index 46bee12..eccdc20 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..fca2d47 100644 +index 69cbd06..fb3486f 100644 --- a/postfix.te +++ b/postfix.te @@ -1,10 +1,19 @@ @@ -41681,7 +42881,7 @@ index 69cbd06..fca2d47 100644 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ +@@ -138,11 +152,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -41689,7 +42889,12 @@ index 69cbd06..fca2d47 100644 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) kernel_read_all_sysctls(postfix_master_t) -@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) + +-corenet_all_recvfrom_unlabeled(postfix_master_t) + corenet_all_recvfrom_netlabel(postfix_master_t) + corenet_tcp_sendrecv_generic_if(postfix_master_t) + corenet_udp_sendrecv_generic_if(postfix_master_t) +@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -41699,7 +42904,7 @@ index 69cbd06..fca2d47 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -41710,7 +42915,7 @@ index 69cbd06..fca2d47 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -41729,7 +42934,14 @@ index 69cbd06..fca2d47 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, +@@ -237,18 +262,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool + # + + allow postfix_cleanup_t self:process setrlimit; ++allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; + + # connect to master process + stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -41827,7 +43039,15 @@ index 69cbd06..fca2d47 100644 ######################################## # # Postfix map local policy -@@ -348,7 +405,6 @@ corecmd_read_bin_sockets(postfix_map_t) +@@ -329,7 +386,6 @@ kernel_read_kernel_sysctls(postfix_map_t) + kernel_dontaudit_list_proc(postfix_map_t) + kernel_dontaudit_read_system_state(postfix_map_t) + +-corenet_all_recvfrom_unlabeled(postfix_map_t) + corenet_all_recvfrom_netlabel(postfix_map_t) + corenet_tcp_sendrecv_generic_if(postfix_map_t) + corenet_udp_sendrecv_generic_if(postfix_map_t) +@@ -348,7 +404,6 @@ corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) files_read_usr_files(postfix_map_t) @@ -41835,7 +43055,7 @@ index 69cbd06..fca2d47 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -379,18 +435,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -41861,7 +43081,7 @@ index 69cbd06..fca2d47 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -41870,7 +43090,7 @@ index 69cbd06..fca2d47 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +484,7 @@ optional_policy(` +@@ -420,6 +483,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -41878,7 +43098,7 @@ index 69cbd06..fca2d47 100644 ') optional_policy(` -@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -41896,7 +43116,7 @@ index 69cbd06..fca2d47 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -41907,7 +43127,7 @@ index 69cbd06..fca2d47 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +589,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -41920,7 +43140,7 @@ index 69cbd06..fca2d47 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +613,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -41931,7 +43151,7 @@ index 69cbd06..fca2d47 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +635,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +634,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -41940,7 +43160,7 @@ index 69cbd06..fca2d47 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +644,14 @@ optional_policy(` +@@ -565,6 +643,14 @@ optional_policy(` ') optional_policy(` @@ -41955,7 +43175,7 @@ index 69cbd06..fca2d47 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +668,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +667,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -41982,7 +43202,7 @@ index 69cbd06..fca2d47 100644 ') optional_policy(` -@@ -599,6 +694,12 @@ optional_policy(` +@@ -599,6 +693,12 @@ optional_policy(` ') optional_policy(` @@ -41995,7 +43215,7 @@ index 69cbd06..fca2d47 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +712,6 @@ optional_policy(` +@@ -611,7 +711,6 @@ optional_policy(` # Postfix virtual local policy # @@ -42003,7 +43223,7 @@ index 69cbd06..fca2d47 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +722,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +721,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -42011,7 +43231,7 @@ index 69cbd06..fca2d47 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +729,75 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -42110,10 +43330,10 @@ index feae93b..b2af729 100644 init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index 7257526..7d73656 100644 +index 7257526..e7bd755 100644 --- a/postfixpolicyd.te +++ b/postfixpolicyd.te -@@ -23,14 +23,14 @@ files_pid_file(postfix_policyd_var_run_t) +@@ -23,19 +23,18 @@ files_pid_file(postfix_policyd_var_run_t) # Local Policy # @@ -42131,6 +43351,11 @@ index 7257526..7d73656 100644 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) + +-corenet_all_recvfrom_unlabeled(postfix_policyd_t) + corenet_tcp_sendrecv_generic_if(postfix_policyd_t) + corenet_tcp_sendrecv_generic_node(postfix_policyd_t) + corenet_tcp_sendrecv_all_ports(postfix_policyd_t) diff --git a/postgrey.if b/postgrey.if index ad15fde..12202e1 100644 --- a/postgrey.if @@ -42175,7 +43400,7 @@ index ad15fde..12202e1 100644 init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postgrey.te b/postgrey.te -index db843e2..92203d0 100644 +index db843e2..f7b64e3 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -42187,7 +43412,15 @@ index db843e2..92203d0 100644 type postgrey_var_lib_t; files_type(postgrey_var_lib_t) -@@ -80,6 +80,8 @@ files_getattr_tmp_dirs(postgrey_t) +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(postgrey_t) + # for perl + corecmd_search_bin(postgrey_t) + +-corenet_all_recvfrom_unlabeled(postgrey_t) + corenet_all_recvfrom_netlabel(postgrey_t) + corenet_tcp_sendrecv_generic_if(postgrey_t) + corenet_tcp_sendrecv_generic_node(postgrey_t) +@@ -80,6 +79,8 @@ files_getattr_tmp_dirs(postgrey_t) fs_getattr_all_fs(postgrey_t) fs_search_auto_mountpoints(postgrey_t) @@ -42379,7 +43612,7 @@ index de4bdb7..a4cad0b 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..fd793b3 100644 +index bcbf9ac..83abaca 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) @@ -42468,7 +43701,15 @@ index bcbf9ac..fd793b3 100644 allow pppd_t pptp_t:process signal; -@@ -147,10 +153,12 @@ fs_getattr_all_fs(pppd_t) +@@ -130,7 +136,6 @@ dev_search_sysfs(pppd_t) + dev_read_sysfs(pppd_t) + dev_rw_modem(pppd_t) + +-corenet_all_recvfrom_unlabeled(pppd_t) + corenet_all_recvfrom_netlabel(pppd_t) + corenet_tcp_sendrecv_generic_if(pppd_t) + corenet_raw_sendrecv_generic_if(pppd_t) +@@ -147,10 +152,12 @@ fs_getattr_all_fs(pppd_t) fs_search_auto_mountpoints(pppd_t) term_use_unallocated_ttys(pppd_t) @@ -42481,7 +43722,7 @@ index bcbf9ac..fd793b3 100644 # allow running ip-up and ip-down scripts and running chat. corecmd_exec_bin(pppd_t) -@@ -163,13 +171,15 @@ files_manage_etc_runtime_files(pppd_t) +@@ -163,13 +170,15 @@ files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) # for scripts @@ -42498,7 +43739,7 @@ index bcbf9ac..fd793b3 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -180,24 +190,34 @@ sysnet_exec_ifconfig(pppd_t) +@@ -180,24 +189,34 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -42536,7 +43777,7 @@ index bcbf9ac..fd793b3 100644 ') optional_policy(` -@@ -247,14 +267,18 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -247,21 +266,24 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -42556,7 +43797,14 @@ index bcbf9ac..fd793b3 100644 dev_read_sysfs(pptp_t) -@@ -273,7 +297,6 @@ corenet_tcp_connect_generic_port(pptp_t) + corecmd_exec_shell(pptp_t) + corecmd_read_bin_symlinks(pptp_t) + +-corenet_all_recvfrom_unlabeled(pptp_t) + corenet_all_recvfrom_netlabel(pptp_t) + corenet_tcp_sendrecv_generic_if(pptp_t) + corenet_raw_sendrecv_generic_if(pptp_t) +@@ -273,7 +295,6 @@ corenet_tcp_connect_generic_port(pptp_t) corenet_tcp_connect_all_reserved_ports(pptp_t) corenet_sendrecv_generic_client_packets(pptp_t) @@ -42578,7 +43826,7 @@ index ec0e76a..62af9a4 100644 /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/prelink.te b/prelink.te -index af55369..e97defd 100644 +index af55369..f292637 100644 --- a/prelink.te +++ b/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -42661,7 +43909,14 @@ index af55369..e97defd 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +170,33 @@ optional_policy(` +@@ -144,21 +166,40 @@ optional_policy(` + corecmd_exec_bin(prelink_cron_system_t) + corecmd_exec_shell(prelink_cron_system_t) + ++ dev_list_sysfs(prelink_cron_system_t) ++ dev_read_sysfs(prelink_cron_system_t) ++ + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -42766,7 +44021,7 @@ index 2316653..f41a4f7 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index b1bc02c..818d0a9 100644 +index b1bc02c..0c57041 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -42778,7 +44033,15 @@ index b1bc02c..818d0a9 100644 type prelude_log_t; logging_log_file(prelude_log_t) -@@ -95,7 +95,6 @@ corenet_tcp_connect_mysqld_port(prelude_t) +@@ -82,7 +82,6 @@ kernel_read_sysctl(prelude_t) + + corecmd_search_bin(prelude_t) + +-corenet_all_recvfrom_unlabeled(prelude_t) + corenet_all_recvfrom_netlabel(prelude_t) + corenet_tcp_sendrecv_generic_if(prelude_t) + corenet_tcp_sendrecv_generic_node(prelude_t) +@@ -95,7 +94,6 @@ corenet_tcp_connect_mysqld_port(prelude_t) dev_read_rand(prelude_t) dev_read_urand(prelude_t) @@ -42786,7 +44049,15 @@ index b1bc02c..818d0a9 100644 files_read_etc_runtime_files(prelude_t) files_read_usr_files(prelude_t) files_search_tmp(prelude_t) -@@ -156,7 +155,6 @@ dev_read_urand(prelude_audisp_t) +@@ -143,7 +141,6 @@ kernel_read_system_state(prelude_audisp_t) + + corecmd_search_bin(prelude_audisp_t) + +-corenet_all_recvfrom_unlabeled(prelude_audisp_t) + corenet_all_recvfrom_netlabel(prelude_audisp_t) + corenet_tcp_sendrecv_generic_if(prelude_audisp_t) + corenet_tcp_sendrecv_generic_node(prelude_audisp_t) +@@ -156,7 +153,6 @@ dev_read_urand(prelude_audisp_t) # Init script handling domain_use_interactive_fds(prelude_audisp_t) @@ -42794,7 +44065,15 @@ index b1bc02c..818d0a9 100644 files_read_etc_runtime_files(prelude_audisp_t) files_search_tmp(prelude_audisp_t) -@@ -192,7 +190,6 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t) +@@ -183,7 +179,6 @@ kernel_read_sysctl(prelude_correlator_t) + + corecmd_search_bin(prelude_correlator_t) + +-corenet_all_recvfrom_unlabeled(prelude_correlator_t) + corenet_all_recvfrom_netlabel(prelude_correlator_t) + corenet_tcp_sendrecv_generic_if(prelude_correlator_t) + corenet_tcp_sendrecv_generic_node(prelude_correlator_t) +@@ -192,7 +187,6 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t) dev_read_rand(prelude_correlator_t) dev_read_urand(prelude_correlator_t) @@ -42802,7 +44081,7 @@ index b1bc02c..818d0a9 100644 files_read_usr_files(prelude_correlator_t) files_search_spool(prelude_correlator_t) -@@ -210,8 +207,8 @@ prelude_manage_spool(prelude_correlator_t) +@@ -210,8 +204,8 @@ prelude_manage_spool(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; @@ -42813,16 +44092,19 @@ index b1bc02c..818d0a9 100644 allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; -@@ -236,6 +233,8 @@ kernel_read_sysctl(prelude_lml_t) +@@ -236,10 +230,10 @@ kernel_read_sysctl(prelude_lml_t) corecmd_exec_bin(prelude_lml_t) -+corenet_all_recvfrom_unlabeled(prelude_lml_t) +corenet_all_recvfrom_netlabel(prelude_lml_t) corenet_tcp_sendrecv_generic_if(prelude_lml_t) corenet_tcp_sendrecv_generic_node(prelude_lml_t) corenet_tcp_recvfrom_netlabel(prelude_lml_t) -@@ -247,7 +246,6 @@ dev_read_rand(prelude_lml_t) +-corenet_tcp_recvfrom_unlabeled(prelude_lml_t) + corenet_sendrecv_unlabeled_packets(prelude_lml_t) + corenet_tcp_connect_prelude_port(prelude_lml_t) + +@@ -247,7 +241,6 @@ dev_read_rand(prelude_lml_t) dev_read_urand(prelude_lml_t) files_list_etc(prelude_lml_t) @@ -42830,7 +44112,7 @@ index b1bc02c..818d0a9 100644 files_read_etc_runtime_files(prelude_lml_t) fs_getattr_all_fs(prelude_lml_t) -@@ -283,7 +281,6 @@ optional_policy(` +@@ -283,7 +276,6 @@ optional_policy(` can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) @@ -42856,10 +44138,10 @@ index afd1751..5aff531 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te -index 2dbf4d4..54a6eca 100644 +index 2dbf4d4..06da119 100644 --- a/privoxy.te +++ b/privoxy.te -@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) +@@ -46,10 +46,10 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) @@ -42868,9 +44150,11 @@ index 2dbf4d4..54a6eca 100644 +kernel_read_network_state(privoxy_t) +kernel_read_system_state(privoxy_t) - corenet_all_recvfrom_unlabeled(privoxy_t) +-corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) -@@ -62,6 +63,7 @@ corenet_tcp_connect_squid_port(privoxy_t) + corenet_tcp_sendrecv_generic_if(privoxy_t) + corenet_tcp_sendrecv_generic_node(privoxy_t) +@@ -62,6 +62,7 @@ corenet_tcp_connect_squid_port(privoxy_t) corenet_tcp_connect_ftp_port(privoxy_t) corenet_tcp_connect_pgpkeyserver_port(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) @@ -42878,7 +44162,7 @@ index 2dbf4d4..54a6eca 100644 corenet_sendrecv_http_cache_client_packets(privoxy_t) corenet_sendrecv_squid_client_packets(privoxy_t) corenet_sendrecv_http_cache_server_packets(privoxy_t) -@@ -76,7 +78,6 @@ fs_search_auto_mountpoints(privoxy_t) +@@ -76,7 +77,6 @@ fs_search_auto_mountpoints(privoxy_t) domain_use_interactive_fds(privoxy_t) @@ -42886,7 +44170,7 @@ index 2dbf4d4..54a6eca 100644 auth_use_nsswitch(privoxy_t) -@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t) +@@ -87,7 +87,7 @@ miscfiles_read_localization(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed @@ -42933,7 +44217,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/procmail.te b/procmail.te -index 29b9295..4bd0290 100644 +index 29b9295..c2ffb07 100644 --- a/procmail.te +++ b/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -42955,7 +44239,15 @@ index 29b9295..4bd0290 100644 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -67,18 +70,26 @@ auth_use_nsswitch(procmail_t) +@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + kernel_read_system_state(procmail_t) + kernel_read_kernel_sysctls(procmail_t) + +-corenet_all_recvfrom_unlabeled(procmail_t) + corenet_all_recvfrom_netlabel(procmail_t) + corenet_tcp_sendrecv_generic_if(procmail_t) + corenet_udp_sendrecv_generic_if(procmail_t) +@@ -67,18 +69,26 @@ auth_use_nsswitch(procmail_t) corecmd_exec_bin(procmail_t) corecmd_exec_shell(procmail_t) @@ -42984,7 +44276,7 @@ index 29b9295..4bd0290 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +97,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -42995,7 +44287,7 @@ index 29b9295..4bd0290 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -97,21 +108,19 @@ ifdef(`hide_broken_symptoms',` +@@ -97,21 +107,19 @@ ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') @@ -43025,7 +44317,7 @@ index 29b9295..4bd0290 100644 ') optional_policy(` -@@ -125,6 +134,11 @@ optional_policy(` +@@ -125,6 +133,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -43037,7 +44329,7 @@ index 29b9295..4bd0290 100644 ') optional_policy(` -@@ -134,6 +148,7 @@ optional_policy(` +@@ -134,6 +147,7 @@ optional_policy(` optional_policy(` mta_read_config(procmail_t) @@ -43190,7 +44482,7 @@ index bc329d1..20bb463 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index d4000e0..f35afa4 100644 +index d4000e0..0e04801 100644 --- a/psad.te +++ b/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -43223,7 +44515,15 @@ index d4000e0..f35afa4 100644 # tmp files manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -@@ -85,13 +86,12 @@ corenet_sendrecv_whois_client_packets(psad_t) +@@ -73,7 +74,6 @@ kernel_read_net_sysctls(psad_t) + corecmd_exec_shell(psad_t) + corecmd_exec_bin(psad_t) + +-corenet_all_recvfrom_unlabeled(psad_t) + corenet_all_recvfrom_netlabel(psad_t) + corenet_tcp_sendrecv_generic_if(psad_t) + corenet_tcp_sendrecv_generic_node(psad_t) +@@ -85,13 +85,12 @@ corenet_sendrecv_whois_client_packets(psad_t) dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) @@ -43238,7 +44538,7 @@ index d4000e0..f35afa4 100644 logging_read_generic_logs(psad_t) logging_read_syslog_config(psad_t) logging_send_syslog_msg(psad_t) -@@ -101,6 +101,10 @@ miscfiles_read_localization(psad_t) +@@ -101,6 +100,10 @@ miscfiles_read_localization(psad_t) sysnet_exec_ifconfig(psad_t) optional_policy(` @@ -43394,7 +44694,7 @@ index f40c64d..a3352d3 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..2094fc8 100644 +index 901ac9b..122431f 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -43420,7 +44720,15 @@ index 901ac9b..2094fc8 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -76,15 +82,14 @@ dev_write_sound(pulseaudio_t) +@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t) + + corecmd_exec_bin(pulseaudio_t) + +-corenet_all_recvfrom_unlabeled(pulseaudio_t) + corenet_all_recvfrom_netlabel(pulseaudio_t) + corenet_tcp_bind_pulseaudio_port(pulseaudio_t) + corenet_tcp_bind_soundd_port(pulseaudio_t) +@@ -76,15 +81,14 @@ dev_write_sound(pulseaudio_t) dev_read_sysfs(pulseaudio_t) dev_read_urand(pulseaudio_t) @@ -43438,7 +44746,7 @@ index 901ac9b..2094fc8 100644 auth_use_nsswitch(pulseaudio_t) -@@ -92,10 +97,29 @@ logging_send_syslog_msg(pulseaudio_t) +@@ -92,10 +96,29 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -43472,7 +44780,7 @@ index 901ac9b..2094fc8 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -125,16 +149,35 @@ optional_policy(` +@@ -125,16 +148,35 @@ optional_policy(` ') optional_policy(` @@ -43508,7 +44816,7 @@ index 901ac9b..2094fc8 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -146,3 +189,7 @@ optional_policy(` +@@ -146,3 +188,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -43671,7 +44979,7 @@ index 2855a44..2f72e9a 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/puppet.te b/puppet.te -index d792d53..d65f35b 100644 +index d792d53..0f9c777 100644 --- a/puppet.te +++ b/puppet.te @@ -13,6 +13,13 @@ policy_module(puppet, 1.2.1) @@ -43718,7 +45026,7 @@ index d792d53..d65f35b 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -80,7 +92,10 @@ kernel_dontaudit_search_sysctl(puppet_t) +@@ -80,12 +92,14 @@ kernel_dontaudit_search_sysctl(puppet_t) kernel_dontaudit_search_kernel_sysctl(puppet_t) kernel_read_system_state(puppet_t) kernel_read_crypto_sysctls(puppet_t) @@ -43729,7 +45037,12 @@ index d792d53..d65f35b 100644 corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) -@@ -103,6 +118,7 @@ files_manage_config_files(puppet_t) + corenet_all_recvfrom_netlabel(puppet_t) +-corenet_all_recvfrom_unlabeled(puppet_t) + corenet_tcp_sendrecv_generic_if(puppet_t) + corenet_tcp_sendrecv_generic_node(puppet_t) + corenet_tcp_bind_generic_node(puppet_t) +@@ -103,6 +117,7 @@ files_manage_config_files(puppet_t) files_manage_config_dirs(puppet_t) files_manage_etc_dirs(puppet_t) files_manage_etc_files(puppet_t) @@ -43737,7 +45050,7 @@ index d792d53..d65f35b 100644 files_read_usr_symlinks(puppet_t) files_relabel_config_dirs(puppet_t) files_relabel_config_files(puppet_t) -@@ -115,6 +131,8 @@ selinux_validate_context(puppet_t) +@@ -115,6 +130,8 @@ selinux_validate_context(puppet_t) term_dontaudit_getattr_unallocated_ttys(puppet_t) term_dontaudit_getattr_all_ttys(puppet_t) @@ -43746,7 +45059,7 @@ index d792d53..d65f35b 100644 init_all_labeled_script_domtrans(puppet_t) init_domtrans_script(puppet_t) init_read_utmp(puppet_t) -@@ -125,20 +143,22 @@ logging_send_syslog_msg(puppet_t) +@@ -125,20 +142,22 @@ logging_send_syslog_msg(puppet_t) miscfiles_read_hwdata(puppet_t) miscfiles_read_localization(puppet_t) @@ -43774,7 +45087,7 @@ index d792d53..d65f35b 100644 ') optional_policy(` -@@ -146,6 +166,14 @@ optional_policy(` +@@ -146,6 +165,14 @@ optional_policy(` ') optional_policy(` @@ -43789,7 +45102,7 @@ index d792d53..d65f35b 100644 portage_domtrans(puppet_t) portage_domtrans_fetch(puppet_t) portage_domtrans_gcc_config(puppet_t) -@@ -164,8 +192,131 @@ optional_policy(` +@@ -164,8 +191,131 @@ optional_policy(` ') optional_policy(` @@ -43923,7 +45236,7 @@ index d792d53..d65f35b 100644 ') ######################################## -@@ -184,24 +335,32 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -184,51 +334,84 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -43958,7 +45271,11 @@ index d792d53..d65f35b 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -213,22 +372,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t) + + corenet_all_recvfrom_netlabel(puppetmaster_t) +-corenet_all_recvfrom_unlabeled(puppetmaster_t) + corenet_tcp_sendrecv_generic_if(puppetmaster_t) + corenet_tcp_sendrecv_generic_node(puppetmaster_t) corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -44010,7 +45327,7 @@ index d792d53..d65f35b 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -239,3 +424,9 @@ optional_policy(` +@@ -239,3 +422,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -44169,7 +45486,7 @@ index 44b3a0c..5d247cb 100644 /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/pyicqt.te b/pyicqt.te -index a841221..b62a01f 100644 +index a841221..fa2f1b7 100644 --- a/pyicqt.te +++ b/pyicqt.te @@ -13,7 +13,7 @@ type pyicqt_conf_t; @@ -44181,6 +45498,14 @@ index a841221..b62a01f 100644 type pyicqt_var_run_t; files_pid_file(pyicqt_var_run_t) +@@ -40,7 +40,6 @@ kernel_read_system_state(pyicqt_t) + + corecmd_exec_bin(pyicqt_t) + +-corenet_all_recvfrom_unlabeled(pyicqt_t) + corenet_all_recvfrom_netlabel(pyicqt_t) + corenet_tcp_sendrecv_generic_if(pyicqt_t) + corenet_tcp_sendrecv_generic_node(pyicqt_t) diff --git a/pyzor.fc b/pyzor.fc index d4a7750..a927c5a 100644 --- a/pyzor.fc @@ -44276,7 +45601,7 @@ index 494f7e2..2c411af 100644 + admin_pattern($1, pyzor_var_lib_t) +') diff --git a/pyzor.te b/pyzor.te -index c8fb70b..764de6b 100644 +index c8fb70b..84801f0 100644 --- a/pyzor.te +++ b/pyzor.te @@ -1,42 +1,66 @@ @@ -44407,7 +45732,15 @@ index c8fb70b..764de6b 100644 kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) -@@ -128,7 +155,6 @@ corenet_udp_bind_generic_node(pyzord_t) +@@ -119,7 +146,6 @@ dev_read_urand(pyzord_t) + + corecmd_exec_bin(pyzord_t) + +-corenet_all_recvfrom_unlabeled(pyzord_t) + corenet_all_recvfrom_netlabel(pyzord_t) + corenet_udp_sendrecv_generic_if(pyzord_t) + corenet_udp_sendrecv_generic_node(pyzord_t) +@@ -128,7 +154,6 @@ corenet_udp_bind_generic_node(pyzord_t) corenet_udp_bind_pyzor_port(pyzord_t) corenet_sendrecv_pyzor_server_packets(pyzord_t) @@ -44416,10 +45749,18 @@ index c8fb70b..764de6b 100644 auth_use_nsswitch(pyzord_t) diff --git a/qemu.if b/qemu.if -index 268d691..da3a26d 100644 +index 268d691..8b40924 100644 --- a/qemu.if +++ b/qemu.if -@@ -76,7 +76,7 @@ template(`qemu_domain_template',` +@@ -43,7 +43,6 @@ template(`qemu_domain_template',` + + kernel_read_system_state($1_t) + +- corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) +@@ -76,7 +75,7 @@ template(`qemu_domain_template',` sysnet_read_config($1_t) @@ -44428,7 +45769,7 @@ index 268d691..da3a26d 100644 userdom_attach_admin_tun_iface($1_t) optional_policy(` -@@ -98,61 +98,40 @@ template(`qemu_domain_template',` +@@ -98,61 +97,40 @@ template(`qemu_domain_template',` ') ') @@ -44503,7 +45844,7 @@ index 268d691..da3a26d 100644 ') ######################################## -@@ -256,20 +235,63 @@ interface(`qemu_kill',` +@@ -256,20 +234,63 @@ interface(`qemu_kill',` ######################################## ## @@ -44573,7 +45914,7 @@ index 268d691..da3a26d 100644 ') ######################################## -@@ -307,3 +329,22 @@ interface(`qemu_manage_tmp_files',` +@@ -307,3 +328,22 @@ interface(`qemu_manage_tmp_files',` manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') @@ -44771,7 +46112,7 @@ index a55bf44..c6dee66 100644 + allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/qmail.te b/qmail.te -index 355b2a2..2eb3c5c 100644 +index 355b2a2..c5cb56e 100644 --- a/qmail.te +++ b/qmail.te @@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) @@ -44881,7 +46222,15 @@ index 355b2a2..2eb3c5c 100644 # allow qmail_remote_t self:tcp_socket create_socket_perms; -@@ -202,7 +204,7 @@ sysnet_read_config(qmail_remote_t) +@@ -183,7 +185,6 @@ allow qmail_remote_t self:udp_socket create_socket_perms; + + rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) + +-corenet_all_recvfrom_unlabeled(qmail_remote_t) + corenet_all_recvfrom_netlabel(qmail_remote_t) + corenet_tcp_sendrecv_generic_if(qmail_remote_t) + corenet_udp_sendrecv_generic_if(qmail_remote_t) +@@ -202,7 +203,7 @@ sysnet_read_config(qmail_remote_t) ######################################## # # qmail-rspawn local policy @@ -44890,7 +46239,7 @@ index 355b2a2..2eb3c5c 100644 # allow qmail_rspawn_t self:process signal_perms; -@@ -217,7 +219,7 @@ corecmd_search_bin(qmail_rspawn_t) +@@ -217,7 +218,7 @@ corecmd_search_bin(qmail_rspawn_t) ######################################## # # qmail-send local policy @@ -44899,7 +46248,7 @@ index 355b2a2..2eb3c5c 100644 # allow qmail_send_t self:process signal_perms; -@@ -236,7 +238,7 @@ optional_policy(` +@@ -236,7 +237,7 @@ optional_policy(` ######################################## # # qmail-smtpd local policy @@ -44908,7 +46257,7 @@ index 355b2a2..2eb3c5c 100644 # allow qmail_smtpd_t self:process signal_perms; -@@ -265,12 +267,11 @@ optional_policy(` +@@ -265,12 +266,11 @@ optional_policy(` ######################################## # # splogger local policy @@ -44922,7 +46271,7 @@ index 355b2a2..2eb3c5c 100644 init_dontaudit_use_script_fds(qmail_splogger_t) -@@ -279,13 +280,13 @@ miscfiles_read_localization(qmail_splogger_t) +@@ -279,13 +279,13 @@ miscfiles_read_localization(qmail_splogger_t) ######################################## # # qmail-start local policy @@ -44938,7 +46287,7 @@ index 355b2a2..2eb3c5c 100644 can_exec(qmail_start_t, qmail_start_exec_t) -@@ -303,7 +304,7 @@ optional_policy(` +@@ -303,7 +303,7 @@ optional_policy(` ######################################## # # tcp-env local policy @@ -45203,7 +46552,7 @@ index 5a9630c..bedca3a 100644 + manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) ') diff --git a/qpid.te b/qpid.te -index cb7ecb5..52cb067 100644 +index cb7ecb5..172dc37 100644 --- a/qpid.te +++ b/qpid.te @@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -45224,7 +46573,7 @@ index cb7ecb5..52cb067 100644 ######################################## # # qpidd local policy -@@ -30,27 +33,36 @@ allow qpidd_t self:shm create_shm_perms; +@@ -30,27 +33,35 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket create_stream_socket_perms; allow qpidd_t self:unix_stream_socket create_stream_socket_perms; @@ -45246,7 +46595,7 @@ index cb7ecb5..52cb067 100644 kernel_read_system_state(qpidd_t) - corenet_all_recvfrom_unlabeled(qpidd_t) +-corenet_all_recvfrom_unlabeled(qpidd_t) corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) @@ -45266,7 +46615,7 @@ index cb7ecb5..52cb067 100644 logging_send_syslog_msg(qpidd_t) -@@ -61,3 +73,8 @@ sysnet_dns_name_resolve(qpidd_t) +@@ -61,3 +72,8 @@ sysnet_dns_name_resolve(qpidd_t) optional_policy(` corosync_stream_connect(qpidd_t) ') @@ -45983,10 +47332,10 @@ index 75e5dc4..87d75fe 100644 init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radius.te b/radius.te -index b1ed1bf..7658e20 100644 +index b1ed1bf..fe6a9c7 100644 --- a/radius.te +++ b/radius.te -@@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -62,11 +62,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -45994,7 +47343,12 @@ index b1ed1bf..7658e20 100644 kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) -@@ -77,6 +78,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) + +-corenet_all_recvfrom_unlabeled(radiusd_t) + corenet_all_recvfrom_netlabel(radiusd_t) + corenet_tcp_sendrecv_generic_if(radiusd_t) + corenet_udp_sendrecv_generic_if(radiusd_t) +@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) @@ -46002,7 +47356,7 @@ index b1ed1bf..7658e20 100644 corenet_tcp_connect_mysqld_port(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t) -@@ -99,7 +101,6 @@ corecmd_exec_shell(radiusd_t) +@@ -99,7 +100,6 @@ corecmd_exec_shell(radiusd_t) domain_use_interactive_fds(radiusd_t) files_read_usr_files(radiusd_t) @@ -46010,7 +47364,7 @@ index b1ed1bf..7658e20 100644 files_read_etc_runtime_files(radiusd_t) auth_use_nsswitch(radiusd_t) -@@ -113,6 +114,8 @@ logging_send_syslog_msg(radiusd_t) +@@ -113,6 +113,8 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) @@ -46043,10 +47397,18 @@ index be05bff..7b00e1e 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index f9a2162..8f0c6bc 100644 +index f9a2162..38354b2 100644 --- a/radvd.te +++ b/radvd.te -@@ -61,7 +61,6 @@ fs_search_auto_mountpoints(radvd_t) +@@ -43,7 +43,6 @@ kernel_read_network_state(radvd_t) + kernel_read_system_state(radvd_t) + kernel_request_load_module(radvd_t) + +-corenet_all_recvfrom_unlabeled(radvd_t) + corenet_all_recvfrom_netlabel(radvd_t) + corenet_tcp_sendrecv_generic_if(radvd_t) + corenet_udp_sendrecv_generic_if(radvd_t) +@@ -61,7 +60,6 @@ fs_search_auto_mountpoints(radvd_t) domain_use_interactive_fds(radvd_t) @@ -46298,10 +47660,10 @@ index f04a595..d6a6e1a 100644 + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') diff --git a/razor.te b/razor.te -index 9353d5e..c661c4b 100644 +index 9353d5e..4e15f29 100644 --- a/razor.te +++ b/razor.te -@@ -5,117 +5,125 @@ policy_module(razor, 2.3.0) +@@ -5,117 +5,124 @@ policy_module(razor, 2.3.0) # Declarations # @@ -46378,7 +47740,6 @@ index 9353d5e..c661c4b 100644 + manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) + files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) + -+ corenet_all_recvfrom_unlabeled(system_razor_t) + corenet_all_recvfrom_netlabel(system_razor_t) + corenet_tcp_sendrecv_generic_if(system_razor_t) + corenet_raw_sendrecv_generic_if(system_razor_t) @@ -46545,6 +47906,18 @@ index dee4adc..a7e4bc7 100644 /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) + +/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) +diff --git a/rdisc.te b/rdisc.te +index 0f07685..2e3ce6c 100644 +--- a/rdisc.te ++++ b/rdisc.te +@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) + kernel_read_proc_symlinks(rdisc_t) + kernel_read_kernel_sysctls(rdisc_t) + +-corenet_all_recvfrom_unlabeled(rdisc_t) + corenet_all_recvfrom_netlabel(rdisc_t) + corenet_udp_sendrecv_generic_if(rdisc_t) + corenet_raw_sendrecv_generic_if(rdisc_t) diff --git a/readahead.fc b/readahead.fc index 7077413..0428aee 100644 --- a/readahead.fc @@ -46729,10 +48102,10 @@ index 0000000..48ea717 +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..158fd63 +index 0000000..2102bd0 --- /dev/null +++ b/realmd.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,40 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -46744,7 +48117,6 @@ index 0000000..158fd63 +type realmd_exec_t; +dbus_system_domain(realmd_t, realmd_exec_t) + -+ +######################################## +# +# realmd local policy @@ -47909,7 +49281,7 @@ index 96efae7..793a29f 100644 allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/rhgb.te b/rhgb.te -index 0f262a7..4d10897 100644 +index 0f262a7..8f326ba 100644 --- a/rhgb.te +++ b/rhgb.te @@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms; @@ -47921,6 +49293,14 @@ index 0f262a7..4d10897 100644 term_create_pty(rhgb_t, rhgb_devpts_t) manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) +@@ -46,7 +46,6 @@ kernel_read_system_state(rhgb_t) + corecmd_exec_bin(rhgb_t) + corecmd_exec_shell(rhgb_t) + +-corenet_all_recvfrom_unlabeled(rhgb_t) + corenet_all_recvfrom_netlabel(rhgb_t) + corenet_tcp_sendrecv_generic_if(rhgb_t) + corenet_udp_sendrecv_generic_if(rhgb_t) diff --git a/rhsmcertd.if b/rhsmcertd.if index 137605a..7624759 100644 --- a/rhsmcertd.if @@ -48278,7 +49658,7 @@ index f7826f9..23d579c 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/ricci.te b/ricci.te -index 33e72e8..858e0be 100644 +index 33e72e8..c0a8abe 100644 --- a/ricci.te +++ b/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -48316,7 +49696,7 @@ index 33e72e8..858e0be 100644 manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) -@@ -105,6 +109,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) +@@ -105,10 +109,10 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) @@ -48324,7 +49704,11 @@ index 33e72e8..858e0be 100644 corecmd_exec_bin(ricci_t) -@@ -123,7 +128,6 @@ dev_read_urand(ricci_t) +-corenet_all_recvfrom_unlabeled(ricci_t) + corenet_all_recvfrom_netlabel(ricci_t) + corenet_tcp_sendrecv_generic_if(ricci_t) + corenet_tcp_sendrecv_generic_node(ricci_t) +@@ -123,7 +127,6 @@ dev_read_urand(ricci_t) domain_read_all_domains_state(ricci_t) @@ -48332,7 +49716,7 @@ index 33e72e8..858e0be 100644 files_read_etc_runtime_files(ricci_t) files_create_boot_flag(ricci_t) -@@ -170,6 +174,10 @@ optional_policy(` +@@ -170,6 +173,10 @@ optional_policy(` ') optional_policy(` @@ -48343,7 +49727,7 @@ index 33e72e8..858e0be 100644 unconfined_use_fds(ricci_t) ') -@@ -193,15 +201,17 @@ corecmd_exec_shell(ricci_modcluster_t) +@@ -193,15 +200,17 @@ corecmd_exec_shell(ricci_modcluster_t) corecmd_exec_bin(ricci_modcluster_t) corenet_tcp_bind_cluster_port(ricci_modclusterd_t) @@ -48363,7 +49747,7 @@ index 33e72e8..858e0be 100644 init_exec(ricci_modcluster_t) init_domtrans_script(ricci_modcluster_t) -@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t) +@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t) miscfiles_read_localization(ricci_modcluster_t) @@ -48380,7 +49764,7 @@ index 33e72e8..858e0be 100644 optional_policy(` aisexec_stream_connect(ricci_modcluster_t) -@@ -233,7 +239,15 @@ optional_policy(` +@@ -233,7 +238,15 @@ optional_policy(` ') optional_policy(` @@ -48397,7 +49781,7 @@ index 33e72e8..858e0be 100644 ') optional_policy(` -@@ -241,8 +255,7 @@ optional_policy(` +@@ -241,8 +254,7 @@ optional_policy(` ') optional_policy(` @@ -48407,7 +49791,7 @@ index 33e72e8..858e0be 100644 ') ######################################## -@@ -261,6 +274,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +273,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -48418,7 +49802,7 @@ index 33e72e8..858e0be 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +289,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +288,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -48426,7 +49810,7 @@ index 33e72e8..858e0be 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -283,7 +301,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) +@@ -283,7 +300,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) domain_read_all_domains_state(ricci_modclusterd_t) @@ -48434,7 +49818,7 @@ index 33e72e8..858e0be 100644 files_read_etc_runtime_files(ricci_modclusterd_t) fs_getattr_xattr_fs(ricci_modclusterd_t) -@@ -334,7 +351,6 @@ corecmd_exec_bin(ricci_modlog_t) +@@ -334,7 +350,6 @@ corecmd_exec_bin(ricci_modlog_t) domain_read_all_domains_state(ricci_modlog_t) @@ -48442,7 +49826,7 @@ index 33e72e8..858e0be 100644 files_search_usr(ricci_modlog_t) logging_read_generic_logs(ricci_modlog_t) -@@ -361,7 +377,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) +@@ -361,7 +376,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) corecmd_exec_bin(ricci_modrpm_t) files_search_usr(ricci_modrpm_t) @@ -48452,7 +49836,7 @@ index 33e72e8..858e0be 100644 miscfiles_read_localization(ricci_modrpm_t) -@@ -388,16 +405,15 @@ kernel_read_system_state(ricci_modservice_t) +@@ -388,16 +404,15 @@ kernel_read_system_state(ricci_modservice_t) corecmd_exec_bin(ricci_modservice_t) corecmd_exec_shell(ricci_modservice_t) @@ -48471,7 +49855,7 @@ index 33e72e8..858e0be 100644 miscfiles_read_localization(ricci_modservice_t) optional_policy(` -@@ -405,6 +421,10 @@ optional_policy(` +@@ -405,6 +420,10 @@ optional_policy(` ') optional_policy(` @@ -48482,7 +49866,7 @@ index 33e72e8..858e0be 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -418,7 +438,6 @@ optional_policy(` +@@ -418,7 +437,6 @@ optional_policy(` # allow ricci_modstorage_t self:process { setsched signal }; @@ -48490,7 +49874,7 @@ index 33e72e8..858e0be 100644 allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; -@@ -444,22 +463,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,22 +462,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -48520,7 +49904,7 @@ index 33e72e8..858e0be 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,12 +490,24 @@ optional_policy(` +@@ -471,12 +489,24 @@ optional_policy(` ') optional_policy(` @@ -48593,7 +49977,7 @@ index 63e78c6..fdd8228 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d654552..f8415f4 100644 +index d654552..998463f 100644 --- a/rlogin.te +++ b/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -48622,7 +50006,15 @@ index d654552..f8415f4 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -69,10 +67,11 @@ fs_getattr_xattr_fs(rlogind_t) +@@ -52,7 +50,6 @@ kernel_read_kernel_sysctls(rlogind_t) + kernel_read_system_state(rlogind_t) + kernel_read_network_state(rlogind_t) + +-corenet_all_recvfrom_unlabeled(rlogind_t) + corenet_all_recvfrom_netlabel(rlogind_t) + corenet_tcp_sendrecv_generic_if(rlogind_t) + corenet_udp_sendrecv_generic_if(rlogind_t) +@@ -69,10 +66,11 @@ fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -48635,7 +50027,7 @@ index d654552..f8415f4 100644 files_read_etc_runtime_files(rlogind_t) files_search_home(rlogind_t) files_search_default(rlogind_t) -@@ -88,27 +87,24 @@ seutil_read_config(rlogind_t) +@@ -88,27 +86,24 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -48692,6 +50084,18 @@ index 30c4b75..e07c2ff 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) +diff --git a/roundup.te b/roundup.te +index 57f839f..c002c99 100644 +--- a/roundup.te ++++ b/roundup.te +@@ -45,7 +45,6 @@ dev_read_sysfs(roundup_t) + # execute python + corecmd_exec_bin(roundup_t) + +-corenet_all_recvfrom_unlabeled(roundup_t) + corenet_all_recvfrom_netlabel(roundup_t) + corenet_tcp_sendrecv_generic_if(roundup_t) + corenet_udp_sendrecv_generic_if(roundup_t) diff --git a/rpc.fc b/rpc.fc index 5c70c0c..b0c22f7 100644 --- a/rpc.fc @@ -48727,7 +50131,7 @@ index 5c70c0c..b0c22f7 100644 /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index dddabcf..fa20a5d 100644 +index dddabcf..90b3b52 100644 --- a/rpc.if +++ b/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` @@ -48743,7 +50147,15 @@ index dddabcf..fa20a5d 100644 ######################################## # # Declarations -@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` +@@ -69,7 +73,6 @@ template(`rpc_domain_template', ` + dev_read_urand($1_t) + dev_read_rand($1_t) + +- corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_udp_sendrecv_generic_if($1_t) +@@ -152,7 +155,7 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') @@ -48752,7 +50164,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -188,7 +192,7 @@ interface(`rpc_write_exports',` +@@ -188,7 +191,7 @@ interface(`rpc_write_exports',` type exports_t; ') @@ -48761,7 +50173,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -229,6 +233,29 @@ interface(`rpc_initrc_domtrans_nfsd',` +@@ -229,6 +232,29 @@ interface(`rpc_initrc_domtrans_nfsd',` ######################################## ## @@ -48791,7 +50203,7 @@ index dddabcf..fa20a5d 100644 ## Execute domain in rpcd domain. ## ## -@@ -246,6 +273,32 @@ interface(`rpc_domtrans_rpcd',` +@@ -246,6 +272,32 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -48824,7 +50236,7 @@ index dddabcf..fa20a5d 100644 ####################################### ## ## Execute domain in rpcd domain. -@@ -266,6 +319,29 @@ interface(`rpc_initrc_domtrans_rpcd',` +@@ -266,6 +318,29 @@ interface(`rpc_initrc_domtrans_rpcd',` ######################################## ## @@ -48854,7 +50266,7 @@ index dddabcf..fa20a5d 100644 ## Read NFS exported content. ## ## -@@ -282,7 +358,7 @@ interface(`rpc_read_nfs_content',` +@@ -282,7 +357,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; @@ -48863,7 +50275,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -329,7 +405,7 @@ interface(`rpc_manage_nfs_ro_content',` +@@ -329,7 +404,7 @@ interface(`rpc_manage_nfs_ro_content',` ######################################## ## @@ -48872,7 +50284,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -337,17 +413,17 @@ interface(`rpc_manage_nfs_ro_content',` +@@ -337,17 +412,17 @@ interface(`rpc_manage_nfs_ro_content',` ## ## # @@ -48893,7 +50305,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -355,17 +431,13 @@ interface(`rpc_tcp_rw_nfs_sockets',` +@@ -355,17 +430,13 @@ interface(`rpc_tcp_rw_nfs_sockets',` ## ## # @@ -48914,7 +50326,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -373,13 +445,18 @@ interface(`rpc_udp_rw_nfs_sockets',` +@@ -373,13 +444,18 @@ interface(`rpc_udp_rw_nfs_sockets',` ## ## # @@ -48936,7 +50348,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -387,13 +464,13 @@ interface(`rpc_udp_send_nfs',` +@@ -387,13 +463,13 @@ interface(`rpc_udp_send_nfs',` ## ## # @@ -48952,7 +50364,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -432,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -432,4 +508,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -49264,19 +50676,20 @@ index a96249c..5f38427 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index a63e9ee..9cb5e25 100644 +index a63e9ee..b4e1f32 100644 --- a/rpcbind.te +++ b/rpcbind.te -@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t) +@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) +-corenet_all_recvfrom_unlabeled(rpcbind_t) +corecmd_exec_shell(rpcbind_t) + - corenet_all_recvfrom_unlabeled(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) -@@ -67,3 +69,11 @@ logging_send_syslog_msg(rpcbind_t) + corenet_udp_sendrecv_generic_if(rpcbind_t) +@@ -67,3 +68,11 @@ logging_send_syslog_msg(rpcbind_t) miscfiles_read_localization(rpcbind_t) sysnet_dns_name_resolve(rpcbind_t) @@ -49542,7 +50955,7 @@ index 951d8f6..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/rpm.te b/rpm.te -index 1f95a33..82d21e8 100644 +index 1f95a33..31d9991 100644 --- a/rpm.te +++ b/rpm.te @@ -1,12 +1,11 @@ @@ -49586,7 +50999,7 @@ index 1f95a33..82d21e8 100644 allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -105,13 +105,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) +@@ -105,17 +105,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -49604,7 +51017,11 @@ index 1f95a33..82d21e8 100644 corecmd_exec_all_executables(rpm_t) -@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t) +-corenet_all_recvfrom_unlabeled(rpm_t) + corenet_all_recvfrom_netlabel(rpm_t) + corenet_tcp_sendrecv_generic_if(rpm_t) + corenet_raw_sendrecv_generic_if(rpm_t) +@@ -131,6 +133,19 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -49624,7 +51041,7 @@ index 1f95a33..82d21e8 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t) +@@ -158,8 +173,8 @@ storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) @@ -49635,7 +51052,7 @@ index 1f95a33..82d21e8 100644 auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) -@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t) +@@ -168,7 +183,6 @@ rpm_domtrans_script(rpm_t) domain_read_all_domains_state(rpm_t) domain_getattr_all_domains(rpm_t) @@ -49643,7 +51060,7 @@ index 1f95a33..82d21e8 100644 domain_use_interactive_fds(rpm_t) domain_dontaudit_getattr_all_pipes(rpm_t) domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -177,23 +191,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -49672,7 +51089,7 @@ index 1f95a33..82d21e8 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -211,14 +229,15 @@ optional_policy(` +@@ -211,14 +228,15 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -49690,7 +51107,7 @@ index 1f95a33..82d21e8 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -229,7 +248,8 @@ optional_policy(` +@@ -229,7 +247,8 @@ optional_policy(` # rpm-script Local policy # @@ -49700,7 +51117,7 @@ index 1f95a33..82d21e8 100644 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; -@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -261,12 +280,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -49719,7 +51136,7 @@ index 1f95a33..82d21e8 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t) +@@ -286,7 +311,6 @@ fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) mcs_killall(rpm_script_t) @@ -49727,7 +51144,7 @@ index 1f95a33..82d21e8 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -303,19 +327,20 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -49752,7 +51169,7 @@ index 1f95a33..82d21e8 100644 domain_use_interactive_fds(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -@@ -330,33 +356,37 @@ init_telinit(rpm_script_t) +@@ -330,33 +355,37 @@ init_telinit(rpm_script_t) libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) @@ -49799,7 +51216,7 @@ index 1f95a33..82d21e8 100644 ') optional_policy(` -@@ -364,7 +394,7 @@ optional_policy(` +@@ -364,7 +393,7 @@ optional_policy(` ') optional_policy(` @@ -49808,7 +51225,7 @@ index 1f95a33..82d21e8 100644 ') optional_policy(` -@@ -372,8 +402,13 @@ optional_policy(` +@@ -372,8 +401,13 @@ optional_policy(` ') optional_policy(` @@ -49824,7 +51241,7 @@ index 1f95a33..82d21e8 100644 ') optional_policy(` -@@ -381,7 +416,7 @@ optional_policy(` +@@ -381,7 +415,7 @@ optional_policy(` ') optional_policy(` @@ -49833,7 +51250,7 @@ index 1f95a33..82d21e8 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -394,6 +429,6 @@ optional_policy(` +@@ -394,6 +428,6 @@ optional_policy(` ') optional_policy(` @@ -49843,10 +51260,18 @@ index 1f95a33..82d21e8 100644 + usermanage_domtrans_useradd(rpm_script_t) ') diff --git a/rshd.te b/rshd.te -index 0b405d1..78f13b6 100644 +index 0b405d1..df2ecae 100644 --- a/rshd.te +++ b/rshd.te -@@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t) +@@ -22,7 +22,6 @@ allow rshd_t self:tcp_socket create_stream_socket_perms; + + kernel_read_kernel_sysctls(rshd_t) + +-corenet_all_recvfrom_unlabeled(rshd_t) + corenet_all_recvfrom_netlabel(rshd_t) + corenet_tcp_sendrecv_generic_if(rshd_t) + corenet_udp_sendrecv_generic_if(rshd_t) +@@ -39,6 +38,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t) dev_read_urand(rshd_t) @@ -49855,7 +51280,7 @@ index 0b405d1..78f13b6 100644 selinux_get_fs_mount(rshd_t) selinux_validate_context(rshd_t) selinux_compute_access_vector(rshd_t) -@@ -66,20 +68,12 @@ seutil_read_config(rshd_t) +@@ -66,20 +67,12 @@ seutil_read_config(rshd_t) seutil_read_default_contexts(rshd_t) userdom_search_user_home_content(rshd_t) @@ -49995,7 +51420,7 @@ index 3386f29..8d8f6c5 100644 + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --git a/rsync.te b/rsync.te -index ba98794..19a06d9 100644 +index ba98794..1158d96 100644 --- a/rsync.te +++ b/rsync.te @@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1) @@ -50044,7 +51469,15 @@ index ba98794..19a06d9 100644 allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -@@ -95,7 +116,6 @@ dev_read_urand(rsync_t) +@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t) + kernel_read_system_state(rsync_t) + kernel_read_network_state(rsync_t) + +-corenet_all_recvfrom_unlabeled(rsync_t) + corenet_all_recvfrom_netlabel(rsync_t) + corenet_tcp_sendrecv_generic_if(rsync_t) + corenet_udp_sendrecv_generic_if(rsync_t) +@@ -95,7 +115,6 @@ dev_read_urand(rsync_t) fs_getattr_xattr_fs(rsync_t) @@ -50052,7 +51485,7 @@ index ba98794..19a06d9 100644 files_search_home(rsync_t) auth_use_nsswitch(rsync_t) -@@ -105,7 +125,7 @@ logging_send_syslog_msg(rsync_t) +@@ -105,7 +124,7 @@ logging_send_syslog_msg(rsync_t) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -50061,7 +51494,7 @@ index ba98794..19a06d9 100644 miscfiles_manage_public_files(rsync_t) ') -@@ -121,13 +141,39 @@ optional_policy(` +@@ -121,13 +140,39 @@ optional_policy(` inetd_service_domain(rsync_t, rsync_exec_t) ') @@ -50176,7 +51609,7 @@ index 71ea0ea..886a45e 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index a07b2f4..36b4903 100644 +index a07b2f4..807a1cf 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; @@ -50196,7 +51629,15 @@ index a07b2f4..36b4903 100644 allow rwho_t self:unix_dgram_socket create; allow rwho_t self:fifo_file rw_file_perms; allow rwho_t self:unix_stream_socket create_stream_socket_perms; -@@ -55,6 +56,10 @@ files_read_etc_files(rwho_t) +@@ -39,7 +40,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) + + kernel_read_system_state(rwho_t) + +-corenet_all_recvfrom_unlabeled(rwho_t) + corenet_all_recvfrom_netlabel(rwho_t) + corenet_udp_sendrecv_generic_if(rwho_t) + corenet_udp_sendrecv_generic_node(rwho_t) +@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -50556,7 +51997,7 @@ index 82cb169..987239e 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index fc22785..98b89c4 100644 +index fc22785..0a93fed 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.14.1) @@ -50603,6 +52044,16 @@ index fc22785..98b89c4 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) +@@ -184,8 +192,8 @@ manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) + + kernel_read_proc_symlinks(samba_net_t) + kernel_read_system_state(samba_net_t) ++kernel_read_network_state(samba_net_t) + +-corenet_all_recvfrom_unlabeled(samba_net_t) + corenet_all_recvfrom_netlabel(samba_net_t) + corenet_tcp_sendrecv_generic_if(samba_net_t) + corenet_udp_sendrecv_generic_if(samba_net_t) @@ -203,7 +211,6 @@ dev_read_urand(samba_net_t) domain_use_interactive_fds(samba_net_t) @@ -50682,7 +52133,15 @@ index fc22785..98b89c4 100644 allow smbd_t swat_t:process signal; -@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -298,7 +316,6 @@ kernel_read_system_state(smbd_t) + corecmd_exec_shell(smbd_t) + corecmd_exec_bin(smbd_t) + +-corenet_all_recvfrom_unlabeled(smbd_t) + corenet_all_recvfrom_netlabel(smbd_t) + corenet_tcp_sendrecv_generic_if(smbd_t) + corenet_udp_sendrecv_generic_if(smbd_t) +@@ -316,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -50690,7 +52149,7 @@ index fc22785..98b89c4 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,26 +342,29 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -50721,7 +52180,7 @@ index fc22785..98b89c4 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +376,8 @@ logging_send_syslog_msg(smbd_t) +@@ -354,6 +375,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -50730,7 +52189,7 @@ index fc22785..98b89c4 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -368,8 +392,13 @@ ifdef(`hide_broken_symptoms', ` +@@ -368,8 +391,13 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') @@ -50745,7 +52204,7 @@ index fc22785..98b89c4 100644 ') tunable_policy(`samba_domain_controller',` -@@ -385,12 +414,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +413,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -50759,10 +52218,14 @@ index fc22785..98b89c4 100644 ') # Support Samba sharing of NFS mount points -@@ -411,6 +435,11 @@ tunable_policy(`samba_share_fusefs',` +@@ -411,6 +434,15 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` ++ ccs_read_config(smbd_t) ++') ++ ++optional_policy(` + ctdbd_stream_connect(smbd_t) + ctdbd_manage_lib_files(smbd_t) +') @@ -50771,7 +52234,7 @@ index fc22785..98b89c4 100644 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -421,6 +450,11 @@ optional_policy(` +@@ -421,6 +453,11 @@ optional_policy(` ') optional_policy(` @@ -50783,7 +52246,7 @@ index fc22785..98b89c4 100644 lpd_exec_lpr(smbd_t) ') -@@ -444,26 +478,26 @@ optional_policy(` +@@ -444,26 +481,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -50822,7 +52285,7 @@ index fc22785..98b89c4 100644 ######################################## # # nmbd Local policy -@@ -483,8 +517,11 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -483,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -50835,7 +52298,7 @@ index fc22785..98b89c4 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -496,8 +533,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +@@ -496,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbcontrol_t:process signal; @@ -50844,7 +52307,15 @@ index fc22785..98b89c4 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -528,7 +563,6 @@ fs_search_auto_mountpoints(nmbd_t) +@@ -505,7 +543,6 @@ kernel_read_network_state(nmbd_t) + kernel_read_software_raid_state(nmbd_t) + kernel_read_system_state(nmbd_t) + +-corenet_all_recvfrom_unlabeled(nmbd_t) + corenet_all_recvfrom_netlabel(nmbd_t) + corenet_tcp_sendrecv_generic_if(nmbd_t) + corenet_udp_sendrecv_generic_if(nmbd_t) +@@ -528,7 +565,6 @@ fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) @@ -50852,7 +52323,7 @@ index fc22785..98b89c4 100644 files_list_var_lib(nmbd_t) auth_use_nsswitch(nmbd_t) -@@ -554,18 +588,21 @@ optional_policy(` +@@ -554,18 +590,21 @@ optional_policy(` # smbcontrol local policy # @@ -50878,7 +52349,7 @@ index fc22785..98b89c4 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -573,11 +610,20 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -573,11 +612,20 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -50901,7 +52372,7 @@ index fc22785..98b89c4 100644 ######################################## # -@@ -596,7 +642,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -596,7 +644,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -50910,7 +52381,15 @@ index fc22785..98b89c4 100644 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -637,25 +683,26 @@ files_list_mnt(smbmount_t) +@@ -607,7 +655,6 @@ files_list_var_lib(smbmount_t) + + kernel_read_system_state(smbmount_t) + +-corenet_all_recvfrom_unlabeled(smbmount_t) + corenet_all_recvfrom_netlabel(smbmount_t) + corenet_tcp_sendrecv_generic_if(smbmount_t) + corenet_raw_sendrecv_generic_if(smbmount_t) +@@ -637,25 +684,26 @@ files_list_mnt(smbmount_t) files_mounton_mnt(smbmount_t) files_manage_etc_runtime_files(smbmount_t) files_etc_filetrans_etc_runtime(smbmount_t, file) @@ -50941,7 +52420,7 @@ index fc22785..98b89c4 100644 ######################################## # # SWAT Local policy -@@ -676,7 +723,8 @@ samba_domtrans_nmbd(swat_t) +@@ -676,7 +724,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -50951,7 +52430,7 @@ index fc22785..98b89c4 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -691,12 +739,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -691,12 +740,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -50966,7 +52445,7 @@ index fc22785..98b89c4 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -709,6 +759,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -709,6 +760,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -50974,6 +52453,14 @@ index fc22785..98b89c4 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; +@@ -718,7 +770,6 @@ kernel_read_network_state(swat_t) + + corecmd_search_bin(swat_t) + +-corenet_all_recvfrom_unlabeled(swat_t) + corenet_all_recvfrom_netlabel(swat_t) + corenet_tcp_sendrecv_generic_if(swat_t) + corenet_udp_sendrecv_generic_if(swat_t) @@ -736,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) dev_read_urand(swat_t) @@ -51005,7 +52492,7 @@ index fc22785..98b89c4 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -805,15 +860,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -805,21 +860,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -51030,7 +52517,13 @@ index fc22785..98b89c4 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -832,6 +891,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) + corecmd_exec_bin(winbind_t) + +-corenet_all_recvfrom_unlabeled(winbind_t) + corenet_all_recvfrom_netlabel(winbind_t) + corenet_tcp_sendrecv_generic_if(winbind_t) + corenet_udp_sendrecv_generic_if(winbind_t) +@@ -832,6 +890,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -51038,7 +52531,7 @@ index fc22785..98b89c4 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -847,12 +907,15 @@ auth_manage_cache(winbind_t) +@@ -847,12 +906,15 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -51055,7 +52548,7 @@ index fc22785..98b89c4 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +926,11 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -863,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -51067,7 +52560,7 @@ index fc22785..98b89c4 100644 kerberos_use(winbind_t) ') -@@ -901,9 +969,10 @@ auth_use_nsswitch(winbind_helper_t) +@@ -901,9 +968,10 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -51080,7 +52573,7 @@ index fc22785..98b89c4 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -921,19 +990,34 @@ optional_policy(` +@@ -921,19 +989,34 @@ optional_policy(` # optional_policy(` @@ -51204,10 +52697,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..809784d +index 0000000..7a474f6 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,364 @@ +@@ -0,0 +1,363 @@ + +## policy for sandbox + @@ -51294,7 +52787,6 @@ index 0000000..809784d + + gen_require(` + attribute sandbox_domain; -+ type sandbox_file_t; + attribute sandbox_type; + ') + type $1_t, sandbox_domain, sandbox_type; @@ -51574,10 +53066,10 @@ index 0000000..809784d +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..3203ede +index 0000000..964fd55 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,509 @@ +@@ -0,0 +1,506 @@ +policy_module(sandbox,1.0.0) + +dbus_stub() @@ -51649,7 +53141,6 @@ index 0000000..3203ede +corecmd_exec_bin(sandbox_xserver_t) +corecmd_exec_shell(sandbox_xserver_t) + -+corenet_all_recvfrom_unlabeled(sandbox_xserver_t) +corenet_all_recvfrom_netlabel(sandbox_xserver_t) +corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) +corenet_udp_sendrecv_generic_if(sandbox_xserver_t) @@ -51969,7 +53460,6 @@ index 0000000..3203ede +dev_write_sound(sandbox_web_type) +dev_read_sound(sandbox_web_type) + -+corenet_all_recvfrom_unlabeled(sandbox_web_type) +corenet_all_recvfrom_netlabel(sandbox_web_type) +corenet_tcp_sendrecv_generic_if(sandbox_web_type) +corenet_raw_sendrecv_generic_if(sandbox_web_type) @@ -52068,7 +53558,6 @@ index 0000000..3203ede +# +typeattribute sandbox_net_client_t sandbox_web_type; + -+corenet_all_recvfrom_unlabeled(sandbox_net_client_t) +corenet_all_recvfrom_netlabel(sandbox_net_client_t) +corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) +corenet_udp_sendrecv_generic_if(sandbox_net_client_t) @@ -52293,7 +53782,7 @@ index f1aea88..3e6a93f 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/sasl.te b/sasl.te -index 9d9f8ce..637b67c 100644 +index 9d9f8ce..c68cdf4 100644 --- a/sasl.te +++ b/sasl.te @@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0) @@ -52315,7 +53804,7 @@ index 9d9f8ce..637b67c 100644 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) -@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; +@@ -38,23 +35,24 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; @@ -52336,9 +53825,9 @@ index 9d9f8ce..637b67c 100644 +#577519 +corecmd_exec_bin(saslauthd_t) - corenet_all_recvfrom_unlabeled(saslauthd_t) +-corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) -@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t) + corenet_tcp_sendrecv_generic_if(saslauthd_t) corenet_tcp_sendrecv_generic_node(saslauthd_t) corenet_tcp_sendrecv_all_ports(saslauthd_t) corenet_tcp_connect_pop_port(saslauthd_t) @@ -52346,7 +53835,7 @@ index 9d9f8ce..637b67c 100644 corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) -@@ -88,11 +87,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) +@@ -88,11 +86,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) # cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) @@ -52592,7 +54081,7 @@ index c50a444..3ef87b4 100644 + can_exec($1, screen_exec_t) +') diff --git a/screen.te b/screen.te -index 2583626..13d933c 100644 +index 2583626..3fe988d 100644 --- a/screen.te +++ b/screen.te @@ -5,6 +5,8 @@ policy_module(screen, 2.5.0) @@ -52604,7 +54093,7 @@ index 2583626..13d933c 100644 type screen_exec_t; application_executable_file(screen_exec_t) -@@ -23,3 +25,92 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t +@@ -23,3 +25,91 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; files_pid_file(screen_var_run_t) ubac_constrained(screen_var_run_t) @@ -52652,7 +54141,6 @@ index 2583626..13d933c 100644 +corecmd_read_bin_pipes(screen_domain) +corecmd_read_bin_sockets(screen_domain) + -+corenet_all_recvfrom_unlabeled(screen_domain) +corenet_all_recvfrom_netlabel(screen_domain) +corenet_tcp_sendrecv_generic_if(screen_domain) +corenet_udp_sendrecv_generic_if(screen_domain) @@ -52895,7 +54383,7 @@ index 7e94c7c..ca74cd9 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/sendmail.te b/sendmail.te -index 22dac1f..ba891c5 100644 +index 22dac1f..94f85f6 100644 --- a/sendmail.te +++ b/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -52910,7 +54398,15 @@ index 22dac1f..ba891c5 100644 ######################################## # -@@ -79,17 +78,18 @@ corecmd_exec_bin(sendmail_t) +@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t) + # for piping mail to a command + kernel_read_system_state(sendmail_t) + +-corenet_all_recvfrom_unlabeled(sendmail_t) + corenet_all_recvfrom_netlabel(sendmail_t) + corenet_tcp_sendrecv_generic_if(sendmail_t) + corenet_tcp_sendrecv_generic_node(sendmail_t) +@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t) domain_use_interactive_fds(sendmail_t) @@ -52930,7 +54426,7 @@ index 22dac1f..ba891c5 100644 auth_use_nsswitch(sendmail_t) -@@ -103,7 +103,7 @@ miscfiles_read_generic_certs(sendmail_t) +@@ -103,7 +102,7 @@ miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -52939,7 +54435,7 @@ index 22dac1f..ba891c5 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -115,6 +115,10 @@ mta_manage_spool(sendmail_t) +@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t) mta_sendmail_exec(sendmail_t) optional_policy(` @@ -52950,7 +54446,7 @@ index 22dac1f..ba891c5 100644 cron_read_pipes(sendmail_t) ') -@@ -128,7 +132,14 @@ optional_policy(` +@@ -128,7 +131,14 @@ optional_policy(` ') optional_policy(` @@ -52965,7 +54461,7 @@ index 22dac1f..ba891c5 100644 ') optional_policy(` -@@ -149,7 +160,9 @@ optional_policy(` +@@ -149,7 +159,9 @@ optional_policy(` ') optional_policy(` @@ -52975,7 +54471,7 @@ index 22dac1f..ba891c5 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +181,13 @@ optional_policy(` +@@ -168,20 +180,13 @@ optional_policy(` ') optional_policy(` @@ -53071,7 +54567,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..4a9afaa 100644 +index 086cd5f..67fd48d 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -53094,7 +54590,7 @@ index 086cd5f..4a9afaa 100644 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,17 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +@@ -49,19 +52,22 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -53115,9 +54611,11 @@ index 086cd5f..4a9afaa 100644 corecmd_exec_shell(setroubleshootd_t) +corecmd_read_all_executables(setroubleshootd_t) - corenet_all_recvfrom_unlabeled(setroubleshootd_t) +-corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) -@@ -79,12 +86,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t) + corenet_tcp_sendrecv_generic_if(setroubleshootd_t) + corenet_tcp_sendrecv_generic_node(setroubleshootd_t) +@@ -79,12 +85,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) @@ -53131,7 +54629,7 @@ index 086cd5f..4a9afaa 100644 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) +@@ -95,6 +101,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -53139,7 +54637,7 @@ index 086cd5f..4a9afaa 100644 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t) +@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) @@ -53148,7 +54646,7 @@ index 086cd5f..4a9afaa 100644 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -53157,7 +54655,7 @@ index 086cd5f..4a9afaa 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -53181,7 +54679,7 @@ index 086cd5f..4a9afaa 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,10 +171,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -53197,7 +54695,7 @@ index 086cd5f..4a9afaa 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -164,6 +189,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -53820,7 +55318,7 @@ index adea9f9..145adbd 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) diff --git a/smartmon.te b/smartmon.te -index 6b3322b..c79f584 100644 +index 6b3322b..9a6149d 100644 --- a/smartmon.te +++ b/smartmon.te @@ -1,4 +1,4 @@ @@ -53838,7 +55336,7 @@ index 6b3322b..c79f584 100644 dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -@@ -52,6 +52,7 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) +@@ -52,12 +52,12 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) kernel_read_kernel_sysctls(fsdaemon_t) @@ -53846,7 +55344,13 @@ index 6b3322b..c79f584 100644 kernel_read_software_raid_state(fsdaemon_t) kernel_read_system_state(fsdaemon_t) -@@ -73,19 +74,31 @@ files_read_etc_runtime_files(fsdaemon_t) + corecmd_exec_all_executables(fsdaemon_t) + +-corenet_all_recvfrom_unlabeled(fsdaemon_t) + corenet_all_recvfrom_netlabel(fsdaemon_t) + corenet_udp_sendrecv_generic_if(fsdaemon_t) + corenet_udp_sendrecv_generic_node(fsdaemon_t) +@@ -73,19 +73,31 @@ files_read_etc_runtime_files(fsdaemon_t) files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) @@ -54102,7 +55606,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 595942d..ec73300 100644 +index 595942d..74c5752 100644 --- a/snmp.te +++ b/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1) @@ -54130,7 +55634,7 @@ index 595942d..ec73300 100644 allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; -@@ -41,18 +44,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -41,23 +44,23 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) @@ -54154,7 +55658,12 @@ index 595942d..ec73300 100644 corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) -@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t) + +-corenet_all_recvfrom_unlabeled(snmpd_t) + corenet_all_recvfrom_netlabel(snmpd_t) + corenet_tcp_sendrecv_generic_if(snmpd_t) + corenet_udp_sendrecv_generic_if(snmpd_t) +@@ -83,10 +86,8 @@ dev_getattr_usbfs_dirs(snmpd_t) domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) @@ -54165,7 +55674,7 @@ index 595942d..ec73300 100644 files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -@@ -94,15 +96,19 @@ files_search_home(snmpd_t) +@@ -94,15 +95,19 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -54186,7 +55695,7 @@ index 595942d..ec73300 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +120,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -54195,7 +55704,7 @@ index 595942d..ec73300 100644 optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) -@@ -140,6 +146,10 @@ optional_policy(` +@@ -140,6 +145,10 @@ optional_policy(` ') optional_policy(` @@ -54239,7 +55748,7 @@ index c117e8b..0eb909b 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 179bc1b..ad84161 100644 +index 179bc1b..84e5390 100644 --- a/snort.te +++ b/snort.te @@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t) @@ -54264,6 +55773,14 @@ index 179bc1b..ad84161 100644 manage_files_pattern(snort_t, snort_log_t, snort_log_t) create_dirs_pattern(snort_t, snort_log_t, snort_log_t) +@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t) + kernel_dontaudit_read_system_state(snort_t) + kernel_read_network_state(snort_t) + +-corenet_all_recvfrom_unlabeled(snort_t) + corenet_all_recvfrom_netlabel(snort_t) + corenet_tcp_sendrecv_generic_if(snort_t) + corenet_udp_sendrecv_generic_if(snort_t) diff --git a/sosreport.fc b/sosreport.fc index a40478e..050f521 100644 --- a/sosreport.fc @@ -54375,6 +55892,18 @@ index 93fe7bf..1b07ed4 100644 init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) +diff --git a/soundserver.te b/soundserver.te +index 3217605..14718f2 100644 +--- a/soundserver.te ++++ b/soundserver.te +@@ -68,7 +68,6 @@ kernel_read_kernel_sysctls(soundd_t) + kernel_list_proc(soundd_t) + kernel_read_proc_symlinks(soundd_t) + +-corenet_all_recvfrom_unlabeled(soundd_t) + corenet_all_recvfrom_netlabel(soundd_t) + corenet_tcp_sendrecv_generic_if(soundd_t) + corenet_udp_sendrecv_generic_if(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc index 6b3abf9..c1f28eb 100644 --- a/spamassassin.fc @@ -54649,7 +56178,7 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..bf120b4 100644 +index 1bbf73b..13cf9df 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0) @@ -54840,7 +56369,15 @@ index 1bbf73b..bf120b4 100644 files_read_etc_runtime_files(spamassassin_t) files_list_home(spamassassin_t) files_read_usr_files(spamassassin_t) -@@ -144,6 +217,9 @@ tunable_policy(`spamassassin_can_network',` +@@ -134,7 +207,6 @@ tunable_policy(`spamassassin_can_network',` + allow spamassassin_t self:tcp_socket create_stream_socket_perms; + allow spamassassin_t self:udp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(spamassassin_t) + corenet_all_recvfrom_netlabel(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_udp_sendrecv_generic_if(spamassassin_t) +@@ -144,6 +216,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -54850,7 +56387,7 @@ index 1bbf73b..bf120b4 100644 sysnet_read_config(spamassassin_t) ') -@@ -154,25 +230,13 @@ tunable_policy(`spamd_enable_home_dirs',` +@@ -154,25 +229,13 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') @@ -54877,7 +56414,7 @@ index 1bbf73b..bf120b4 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -180,6 +244,8 @@ optional_policy(` +@@ -180,6 +243,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -54886,7 +56423,7 @@ index 1bbf73b..bf120b4 100644 ') ######################################## -@@ -202,15 +268,36 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -202,17 +267,37 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -54921,9 +56458,11 @@ index 1bbf73b..bf120b4 100644 + +corecmd_exec_bin(spamc_t) - corenet_all_recvfrom_unlabeled(spamc_t) +-corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -222,6 +309,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) + corenet_tcp_sendrecv_generic_if(spamc_t) + corenet_udp_sendrecv_generic_if(spamc_t) +@@ -222,6 +307,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -54931,7 +56470,7 @@ index 1bbf73b..bf120b4 100644 fs_search_auto_mountpoints(spamc_t) -@@ -234,15 +322,19 @@ corecmd_read_bin_sockets(spamc_t) +@@ -234,15 +320,19 @@ corecmd_read_bin_sockets(spamc_t) domain_use_interactive_fds(spamc_t) @@ -54952,7 +56491,7 @@ index 1bbf73b..bf120b4 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -250,27 +342,35 @@ seutil_read_config(spamc_t) +@@ -250,27 +340,35 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -54994,7 +56533,7 @@ index 1bbf73b..bf120b4 100644 ') ######################################## -@@ -282,7 +382,7 @@ optional_policy(` +@@ -282,7 +380,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -55003,7 +56542,7 @@ index 1bbf73b..bf120b4 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -298,10 +398,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -298,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -55022,7 +56561,7 @@ index 1bbf73b..bf120b4 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,11 +417,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -310,16 +415,19 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -55040,7 +56579,12 @@ index 1bbf73b..bf120b4 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -356,30 +467,29 @@ corecmd_exec_bin(spamd_t) + +-corenet_all_recvfrom_unlabeled(spamd_t) + corenet_all_recvfrom_netlabel(spamd_t) + corenet_tcp_sendrecv_generic_if(spamd_t) + corenet_udp_sendrecv_generic_if(spamd_t) +@@ -356,30 +464,29 @@ corecmd_exec_bin(spamd_t) domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) @@ -55079,7 +56623,7 @@ index 1bbf73b..bf120b4 100644 ') optional_policy(` -@@ -395,7 +505,9 @@ optional_policy(` +@@ -395,7 +502,9 @@ optional_policy(` ') optional_policy(` @@ -55089,7 +56633,7 @@ index 1bbf73b..bf120b4 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -404,25 +516,17 @@ optional_policy(` +@@ -404,25 +513,17 @@ optional_policy(` ') optional_policy(` @@ -55117,7 +56661,7 @@ index 1bbf73b..bf120b4 100644 postgresql_stream_connect(spamd_t) ') -@@ -433,6 +537,10 @@ optional_policy(` +@@ -433,6 +534,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -55128,7 +56672,7 @@ index 1bbf73b..bf120b4 100644 ') optional_policy(` -@@ -440,6 +548,7 @@ optional_policy(` +@@ -440,6 +545,7 @@ optional_policy(` ') optional_policy(` @@ -55136,7 +56680,7 @@ index 1bbf73b..bf120b4 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -447,3 +556,50 @@ optional_policy(` +@@ -447,3 +553,50 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -55227,7 +56771,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te -index d24bd07..624dd50 100644 +index d24bd07..25734c5 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -55257,7 +56801,7 @@ index d24bd07..624dd50 100644 allow squid_t squid_conf_t:dir list_dir_perms; read_files_pattern(squid_t, squid_conf_t, squid_conf_t) -@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) +@@ -85,15 +89,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) @@ -55274,7 +56818,11 @@ index d24bd07..624dd50 100644 files_dontaudit_getattr_boot_dirs(squid_t) -@@ -145,7 +154,6 @@ corecmd_exec_shell(squid_t) +-corenet_all_recvfrom_unlabeled(squid_t) + corenet_all_recvfrom_netlabel(squid_t) + corenet_tcp_sendrecv_generic_if(squid_t) + corenet_udp_sendrecv_generic_if(squid_t) +@@ -145,7 +153,6 @@ corecmd_exec_shell(squid_t) domain_use_interactive_fds(squid_t) @@ -55282,7 +56830,7 @@ index d24bd07..624dd50 100644 files_read_etc_runtime_files(squid_t) files_read_usr_files(squid_t) files_search_spool(squid_t) -@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -169,7 +176,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -55292,15 +56840,18 @@ index d24bd07..624dd50 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +194,7 @@ optional_policy(` - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) +@@ -182,9 +190,9 @@ optional_policy(` + + allow httpd_squid_script_t self:tcp_socket create_socket_perms; + +- corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) + corenet_tcp_connect_squid_port(httpd_squid_script_t) sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +216,7 @@ optional_policy(` +@@ -206,3 +214,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -55879,7 +57430,7 @@ index 0000000..fa12095 +') + diff --git a/stunnel.te b/stunnel.te -index f646c66..6fef759 100644 +index f646c66..8488d8f 100644 --- a/stunnel.te +++ b/stunnel.te @@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms; @@ -55891,7 +57442,15 @@ index f646c66..6fef759 100644 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -@@ -106,7 +106,6 @@ ifdef(`distro_gentoo', ` +@@ -56,7 +56,6 @@ kernel_read_network_state(stunnel_t) + + corecmd_exec_bin(stunnel_t) + +-corenet_all_recvfrom_unlabeled(stunnel_t) + corenet_all_recvfrom_netlabel(stunnel_t) + corenet_tcp_sendrecv_generic_if(stunnel_t) + corenet_udp_sendrecv_generic_if(stunnel_t) +@@ -106,7 +105,6 @@ ifdef(`distro_gentoo', ` dev_read_urand(stunnel_t) @@ -55899,7 +57458,7 @@ index f646c66..6fef759 100644 files_read_etc_runtime_files(stunnel_t) files_search_home(stunnel_t) -@@ -120,4 +119,5 @@ ifdef(`distro_gentoo', ` +@@ -120,4 +118,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') @@ -56108,10 +57667,18 @@ index 0000000..df04e25 +sysnet_dns_name_resolve(svnserve_t) + diff --git a/sxid.te b/sxid.te -index 32822ab..bc5b962 100644 +index 32822ab..6b0a5d9 100644 --- a/sxid.te +++ b/sxid.te -@@ -66,7 +66,7 @@ fs_list_all(sxid_t) +@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) + corecmd_exec_bin(sxid_t) + corecmd_exec_shell(sxid_t) + +-corenet_all_recvfrom_unlabeled(sxid_t) + corenet_all_recvfrom_netlabel(sxid_t) + corenet_tcp_sendrecv_generic_if(sxid_t) + corenet_udp_sendrecv_generic_if(sxid_t) +@@ -66,7 +65,7 @@ fs_list_all(sxid_t) term_dontaudit_use_console(sxid_t) @@ -56120,7 +57687,7 @@ index 32822ab..bc5b962 100644 auth_dontaudit_getattr_shadow(sxid_t) init_use_fds(sxid_t) -@@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t) +@@ -76,13 +75,17 @@ logging_send_syslog_msg(sxid_t) miscfiles_read_localization(sxid_t) @@ -56194,6 +57761,18 @@ index 200ea66..04e4828 100644 -optional_policy(` - logging_send_syslog_msg(sysstat_t) -') +diff --git a/tcpd.te b/tcpd.te +index 7038b55..7a6048c 100644 +--- a/tcpd.te ++++ b/tcpd.te +@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) + manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) + files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) + +-corenet_all_recvfrom_unlabeled(tcpd_t) + corenet_all_recvfrom_netlabel(tcpd_t) + corenet_tcp_sendrecv_generic_if(tcpd_t) + corenet_tcp_sendrecv_generic_node(tcpd_t) diff --git a/tcsd.if b/tcsd.if index 595f5a7..4e518cf 100644 --- a/tcsd.if @@ -56212,10 +57791,18 @@ index 595f5a7..4e518cf 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index ee9f3c6..92db004 100644 +index ee9f3c6..6523b05 100644 --- a/tcsd.te +++ b/tcsd.te -@@ -38,7 +38,6 @@ dev_read_urand(tcsd_t) +@@ -30,7 +30,6 @@ manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) + files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) + + # Accept connections on the TCS port over loopback. +-corenet_all_recvfrom_unlabeled(tcsd_t) + corenet_tcp_bind_generic_node(tcsd_t) + corenet_tcp_bind_tcs_port(tcsd_t) + +@@ -38,7 +37,6 @@ dev_read_urand(tcsd_t) # Access /dev/tpm0. dev_rw_tpm(tcsd_t) @@ -56223,7 +57810,7 @@ index ee9f3c6..92db004 100644 files_read_usr_files(tcsd_t) auth_use_nsswitch(tcsd_t) -@@ -46,5 +45,3 @@ auth_use_nsswitch(tcsd_t) +@@ -46,5 +44,3 @@ auth_use_nsswitch(tcsd_t) logging_send_syslog_msg(tcsd_t) miscfiles_read_localization(tcsd_t) @@ -56441,7 +58028,7 @@ index 6bf75ef..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/telepathy.te b/telepathy.te -index ad6a38d..e498634 100644 +index ad6a38d..cca6cff 100644 --- a/telepathy.te +++ b/telepathy.te @@ -7,16 +7,16 @@ policy_module(telepathy, 1.2.0) @@ -56494,7 +58081,7 @@ index ad6a38d..e498634 100644 type telepathy_mission_control_cache_home_t; userdom_user_home_content(telepathy_mission_control_cache_home_t) -@@ -67,6 +76,15 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble +@@ -67,8 +76,16 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) @@ -56508,9 +58095,11 @@ index ad6a38d..e498634 100644 +') + corenet_all_recvfrom_netlabel(telepathy_gabble_t) - corenet_all_recvfrom_unlabeled(telepathy_gabble_t) +-corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -@@ -98,18 +116,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) + corenet_tcp_connect_http_port(telepathy_gabble_t) +@@ -98,18 +115,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') @@ -56533,7 +58122,15 @@ index ad6a38d..e498634 100644 ') ####################################### -@@ -147,10 +161,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -118,7 +131,6 @@ optional_policy(` + # + + corenet_all_recvfrom_netlabel(telepathy_idle_t) +-corenet_all_recvfrom_unlabeled(telepathy_idle_t) + corenet_tcp_sendrecv_generic_if(telepathy_idle_t) + corenet_tcp_sendrecv_generic_node(telepathy_idle_t) + corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) +@@ -147,10 +159,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; @@ -56547,7 +58144,7 @@ index ad6a38d..e498634 100644 files_read_etc_files(telepathy_logger_t) files_read_usr_files(telepathy_logger_t) -@@ -158,40 +175,58 @@ files_search_pids(telepathy_logger_t) +@@ -158,40 +173,58 @@ files_search_pids(telepathy_logger_t) fs_getattr_all_fs(telepathy_logger_t) @@ -56619,7 +58216,7 @@ index ad6a38d..e498634 100644 ') ####################################### -@@ -205,8 +240,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -56630,8 +58227,11 @@ index ad6a38d..e498634 100644 +can_exec(telepathy_msn_t, telepathy_msn_tmp_t) corenet_all_recvfrom_netlabel(telepathy_msn_t) - corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -228,6 +266,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) +-corenet_all_recvfrom_unlabeled(telepathy_msn_t) + corenet_tcp_sendrecv_generic_if(telepathy_msn_t) + corenet_tcp_sendrecv_generic_node(telepathy_msn_t) + corenet_tcp_bind_generic_node(telepathy_msn_t) +@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) @@ -56640,7 +58240,7 @@ index ad6a38d..e498634 100644 libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) -@@ -246,6 +286,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -56651,7 +58251,23 @@ index ad6a38d..e498634 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -361,14 +405,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -264,7 +305,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa + files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) + + corenet_all_recvfrom_netlabel(telepathy_salut_t) +-corenet_all_recvfrom_unlabeled(telepathy_salut_t) + corenet_tcp_sendrecv_generic_if(telepathy_salut_t) + corenet_tcp_sendrecv_generic_node(telepathy_salut_t) + corenet_tcp_bind_generic_node(telepathy_salut_t) +@@ -302,7 +342,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; + allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; + + corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) +-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) + corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) + corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) + corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) +@@ -361,14 +400,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -56670,7 +58286,7 @@ index ad6a38d..e498634 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +422,23 @@ optional_policy(` +@@ -376,5 +417,23 @@ optional_policy(` ') optional_policy(` @@ -56719,7 +58335,7 @@ index 58e7ec0..e4119f7 100644 + allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; +') diff --git a/telnet.te b/telnet.te -index f40e67b..e4cae03 100644 +index f40e67b..ec3bb78 100644 --- a/telnet.te +++ b/telnet.te @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) @@ -56747,7 +58363,15 @@ index f40e67b..e4cae03 100644 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -68,7 +67,6 @@ auth_use_nsswitch(telnetd_t) +@@ -47,7 +46,6 @@ kernel_read_kernel_sysctls(telnetd_t) + kernel_read_system_state(telnetd_t) + kernel_read_network_state(telnetd_t) + +-corenet_all_recvfrom_unlabeled(telnetd_t) + corenet_all_recvfrom_netlabel(telnetd_t) + corenet_tcp_sendrecv_generic_if(telnetd_t) + corenet_udp_sendrecv_generic_if(telnetd_t) +@@ -68,7 +66,6 @@ auth_use_nsswitch(telnetd_t) corecmd_search_bin(telnetd_t) files_read_usr_files(telnetd_t) @@ -56755,7 +58379,7 @@ index f40e67b..e4cae03 100644 files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? files_search_home(telnetd_t) -@@ -81,15 +79,10 @@ miscfiles_read_localization(telnetd_t) +@@ -81,15 +78,10 @@ miscfiles_read_localization(telnetd_t) seutil_read_config(telnetd_t) @@ -56773,7 +58397,7 @@ index f40e67b..e4cae03 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +91,13 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +90,13 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') @@ -56949,7 +58573,7 @@ index 38bb312..0a40bc5 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index d50c10d..787bfb2 100644 +index d50c10d..ef4647f 100644 --- a/tftp.te +++ b/tftp.te @@ -26,21 +26,26 @@ files_type(tftpdir_t) @@ -56981,7 +58605,15 @@ index d50c10d..787bfb2 100644 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -@@ -72,7 +77,6 @@ fs_search_auto_mountpoints(tftpd_t) +@@ -52,7 +57,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + kernel_read_system_state(tftpd_t) + kernel_read_kernel_sysctls(tftpd_t) + +-corenet_all_recvfrom_unlabeled(tftpd_t) + corenet_all_recvfrom_netlabel(tftpd_t) + corenet_tcp_sendrecv_generic_if(tftpd_t) + corenet_udp_sendrecv_generic_if(tftpd_t) +@@ -72,7 +76,6 @@ fs_search_auto_mountpoints(tftpd_t) domain_use_interactive_fds(tftpd_t) @@ -56989,7 +58621,7 @@ index d50c10d..787bfb2 100644 files_read_etc_runtime_files(tftpd_t) files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) -@@ -94,6 +98,10 @@ tunable_policy(`tftp_anon_write',` +@@ -94,6 +97,10 @@ tunable_policy(`tftp_anon_write',` ') optional_policy(` @@ -57010,7 +58642,7 @@ index 8294f6f..4847b43 100644 /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/tgtd.te b/tgtd.te -index 80fe75c..cdeafc5 100644 +index 80fe75c..9c3fc55 100644 --- a/tgtd.te +++ b/tgtd.te @@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t) @@ -57032,7 +58664,7 @@ index 80fe75c..cdeafc5 100644 allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; -@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +@@ -46,10 +49,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) @@ -57045,7 +58677,11 @@ index 80fe75c..cdeafc5 100644 kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) -@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t) +-corenet_all_recvfrom_unlabeled(tgtd_t) + corenet_tcp_sendrecv_generic_if(tgtd_t) + corenet_tcp_sendrecv_generic_node(tgtd_t) + corenet_tcp_sendrecv_iscsi_port(tgtd_t) +@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) @@ -57510,10 +59146,18 @@ index 0000000..389ccab + gnome_exec_gstreamer_home_files(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index bf37d98..2feb849 100644 +index bf37d98..9456124 100644 --- a/thunderbird.te +++ b/thunderbird.te -@@ -82,7 +82,6 @@ dev_dontaudit_search_sysfs(thunderbird_t) +@@ -54,7 +54,6 @@ kernel_read_system_state(thunderbird_t) + # Startup shellscript + corecmd_exec_shell(thunderbird_t) + +-corenet_all_recvfrom_unlabeled(thunderbird_t) + corenet_all_recvfrom_netlabel(thunderbird_t) + corenet_tcp_sendrecv_generic_if(thunderbird_t) + corenet_tcp_sendrecv_generic_node(thunderbird_t) +@@ -82,7 +81,6 @@ dev_dontaudit_search_sysfs(thunderbird_t) files_list_tmp(thunderbird_t) files_read_usr_files(thunderbird_t) @@ -57521,7 +59165,7 @@ index bf37d98..2feb849 100644 files_read_etc_runtime_files(thunderbird_t) files_read_var_files(thunderbird_t) files_read_var_symlinks(thunderbird_t) -@@ -112,17 +111,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) +@@ -112,17 +110,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) # Access ~/.thunderbird @@ -57540,6 +59184,18 @@ index bf37d98..2feb849 100644 tunable_policy(`mail_read_content && use_nfs_home_dirs',` files_list_home(thunderbird_t) +diff --git a/timidity.te b/timidity.te +index 67b5592..ccddff5 100644 +--- a/timidity.te ++++ b/timidity.te +@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(timidity_t) + # read /proc/cpuinfo + kernel_read_system_state(timidity_t) + +-corenet_all_recvfrom_unlabeled(timidity_t) + corenet_all_recvfrom_netlabel(timidity_t) + corenet_tcp_sendrecv_generic_if(timidity_t) + corenet_udp_sendrecv_generic_if(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te index 0521d5a..1d41128 100644 --- a/tmpreaper.te @@ -58196,7 +59852,7 @@ index 904f13e..5801347 100644 + ') ') diff --git a/tor.te b/tor.te -index c842cad..d59fe83 100644 +index c842cad..7f05b44 100644 --- a/tor.te +++ b/tor.te @@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t) @@ -58216,7 +59872,15 @@ index c842cad..d59fe83 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) +@@ -75,7 +79,6 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) + kernel_read_system_state(tor_t) + + # networking basics +-corenet_all_recvfrom_unlabeled(tor_t) + corenet_all_recvfrom_netlabel(tor_t) + corenet_tcp_sendrecv_generic_if(tor_t) + corenet_udp_sendrecv_generic_if(tor_t) +@@ -87,6 +90,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) corenet_tcp_bind_tor_port(tor_t) @@ -58224,7 +59888,7 @@ index c842cad..d59fe83 100644 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,13 +99,14 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -58240,6 +59904,18 @@ index c842cad..d59fe83 100644 files_read_etc_runtime_files(tor_t) files_read_usr_files(tor_t) +diff --git a/transproxy.te b/transproxy.te +index 95cf0c0..5ad358e 100644 +--- a/transproxy.te ++++ b/transproxy.te +@@ -29,7 +29,6 @@ kernel_read_kernel_sysctls(transproxy_t) + kernel_list_proc(transproxy_t) + kernel_read_proc_symlinks(transproxy_t) + +-corenet_all_recvfrom_unlabeled(transproxy_t) + corenet_all_recvfrom_netlabel(transproxy_t) + corenet_tcp_sendrecv_generic_if(transproxy_t) + corenet_tcp_sendrecv_generic_node(transproxy_t) diff --git a/tripwire.te b/tripwire.te index 2ae8b62..a8e786b 100644 --- a/tripwire.te @@ -58488,10 +60164,26 @@ index c1feba4..bf82170 100644 + domtrans_pattern(ucspitcp_t, $2, $1) ') diff --git a/ucspitcp.te b/ucspitcp.te -index a0794bf..2fde184 100644 +index a0794bf..a05c54c 100644 --- a/ucspitcp.te +++ b/ucspitcp.te -@@ -89,5 +89,7 @@ sysnet_read_config(ucspitcp_t) +@@ -24,7 +24,6 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) + + corecmd_search_bin(rblsmtpd_t) + +-corenet_all_recvfrom_unlabeled(rblsmtpd_t) + corenet_all_recvfrom_netlabel(rblsmtpd_t) + corenet_tcp_sendrecv_generic_if(rblsmtpd_t) + corenet_udp_sendrecv_generic_if(rblsmtpd_t) +@@ -55,7 +54,6 @@ allow ucspitcp_t self:udp_socket create_socket_perms; + corecmd_search_bin(ucspitcp_t) + + # base networking: +-corenet_all_recvfrom_unlabeled(ucspitcp_t) + corenet_all_recvfrom_netlabel(ucspitcp_t) + corenet_tcp_sendrecv_generic_if(ucspitcp_t) + corenet_udp_sendrecv_generic_if(ucspitcp_t) +@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t) optional_policy(` daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) @@ -58561,7 +60253,7 @@ index d2ab7cb..ddb34f1 100644 allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2, uml_ro_t, uml_ro_t) diff --git a/uml.te b/uml.te -index ff094e5..28c5b63 100644 +index ff094e5..1b11396 100644 --- a/uml.te +++ b/uml.te @@ -50,7 +50,7 @@ files_pid_file(uml_switch_var_run_t) @@ -58573,7 +60265,15 @@ index ff094e5..28c5b63 100644 allow uml_t self:unix_stream_socket create_stream_socket_perms; allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. -@@ -131,7 +131,7 @@ seutil_use_newrole_fds(uml_t) +@@ -97,7 +97,6 @@ kernel_write_proc_files(uml_t) + # for xterm + corecmd_exec_bin(uml_t) + +-corenet_all_recvfrom_unlabeled(uml_t) + corenet_all_recvfrom_netlabel(uml_t) + corenet_tcp_sendrecv_generic_if(uml_t) + corenet_udp_sendrecv_generic_if(uml_t) +@@ -131,7 +130,7 @@ seutil_use_newrole_fds(uml_t) # Use the network. sysnet_read_config(uml_t) @@ -59015,7 +60715,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index d4349e9..2634d44 100644 +index d4349e9..cd495f4 100644 --- a/uucp.te +++ b/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -59027,7 +60727,15 @@ index d4349e9..2634d44 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -83,6 +83,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) +@@ -74,7 +74,6 @@ kernel_read_kernel_sysctls(uucpd_t) + kernel_read_system_state(uucpd_t) + kernel_read_network_state(uucpd_t) + +-corenet_all_recvfrom_unlabeled(uucpd_t) + corenet_all_recvfrom_netlabel(uucpd_t) + corenet_tcp_sendrecv_generic_if(uucpd_t) + corenet_udp_sendrecv_generic_if(uucpd_t) +@@ -83,6 +82,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) corenet_udp_sendrecv_all_ports(uucpd_t) corenet_tcp_connect_ssh_port(uucpd_t) @@ -59035,7 +60743,7 @@ index d4349e9..2634d44 100644 dev_read_urand(uucpd_t) -@@ -91,7 +92,6 @@ fs_getattr_xattr_fs(uucpd_t) +@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t) corecmd_exec_bin(uucpd_t) corecmd_exec_shell(uucpd_t) @@ -59043,7 +60751,7 @@ index d4349e9..2634d44 100644 files_search_home(uucpd_t) files_search_spool(uucpd_t) -@@ -125,15 +125,18 @@ optional_policy(` +@@ -125,15 +124,18 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -59063,7 +60771,7 @@ index d4349e9..2634d44 100644 logging_send_syslog_msg(uux_t) miscfiles_read_localization(uux_t) -@@ -145,5 +148,5 @@ optional_policy(` +@@ -145,5 +147,5 @@ optional_policy(` ') optional_policy(` @@ -59095,6 +60803,18 @@ index 5d43bd5..879a5cb 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) +diff --git a/uwimap.te b/uwimap.te +index 46d9811..8be9765 100644 +--- a/uwimap.te ++++ b/uwimap.te +@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) + kernel_list_proc(imapd_t) + kernel_read_proc_symlinks(imapd_t) + +-corenet_all_recvfrom_unlabeled(imapd_t) + corenet_all_recvfrom_netlabel(imapd_t) + corenet_tcp_sendrecv_generic_if(imapd_t) + corenet_tcp_sendrecv_generic_node(imapd_t) diff --git a/varnishd.if b/varnishd.if index 93975d6..bd248ce 100644 --- a/varnishd.if @@ -59436,7 +61156,7 @@ index 32a3c13..759f08c 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index 2124b6a..5072bd7 100644 +index 2124b6a..37e03e4 100644 --- a/virt.fc +++ b/virt.fc @@ -1,5 +1,7 @@ @@ -59449,7 +61169,7 @@ index 2124b6a..5072bd7 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +14,49 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +14,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -59459,6 +61179,7 @@ index 2124b6a..5072bd7 100644 +/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) ++/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) @@ -59474,11 +61195,13 @@ index 2124b6a..5072bd7 100644 +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) ++/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) @@ -60187,7 +61910,7 @@ index 7c5d8d8..9883b66 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/virt.te b/virt.te -index ad3068a..39a5a70 100644 +index ad3068a..1157058 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) @@ -60539,7 +62262,7 @@ index ad3068a..39a5a70 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,9 +355,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +355,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -60555,7 +62278,14 @@ index ad3068a..39a5a70 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -247,22 +383,31 @@ corenet_tcp_connect_soundd_port(virtd_t) + corecmd_exec_bin(virtd_t) + corecmd_exec_shell(virtd_t) + +-corenet_all_recvfrom_unlabeled(virtd_t) + corenet_all_recvfrom_netlabel(virtd_t) + corenet_tcp_sendrecv_generic_if(virtd_t) + corenet_tcp_sendrecv_generic_node(virtd_t) +@@ -247,22 +382,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -60589,7 +62319,7 @@ index ad3068a..39a5a70 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +415,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +414,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -60608,7 +62338,7 @@ index ad3068a..39a5a70 100644 mcs_process_set_categories(virtd_t) -@@ -284,6 +441,8 @@ term_use_ptmx(virtd_t) +@@ -284,6 +440,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -60617,7 +62347,7 @@ index ad3068a..39a5a70 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +452,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +451,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -60650,7 +62380,7 @@ index ad3068a..39a5a70 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +496,10 @@ optional_policy(` +@@ -322,6 +495,10 @@ optional_policy(` ') optional_policy(` @@ -60661,7 +62391,7 @@ index ad3068a..39a5a70 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +513,30 @@ optional_policy(` +@@ -335,19 +512,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -60693,7 +62423,7 @@ index ad3068a..39a5a70 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +551,12 @@ optional_policy(` +@@ -362,6 +550,12 @@ optional_policy(` ') optional_policy(` @@ -60706,7 +62436,7 @@ index ad3068a..39a5a70 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +564,11 @@ optional_policy(` +@@ -369,11 +563,11 @@ optional_policy(` ') optional_policy(` @@ -60723,7 +62453,7 @@ index ad3068a..39a5a70 100644 ') optional_policy(` -@@ -384,6 +579,7 @@ optional_policy(` +@@ -384,6 +578,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -60731,7 +62461,7 @@ index ad3068a..39a5a70 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,20 +599,36 @@ optional_policy(` +@@ -403,34 +598,51 @@ optional_policy(` # virtual domains common policy # @@ -60771,7 +62501,10 @@ index ad3068a..39a5a70 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -427,10 +639,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +-corenet_all_recvfrom_unlabeled(virt_domain) + corenet_all_recvfrom_netlabel(virt_domain) + corenet_tcp_sendrecv_generic_if(virt_domain) + corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -60785,7 +62518,7 @@ index ad3068a..39a5a70 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +652,11 @@ dev_write_sound(virt_domain) +@@ -438,10 +650,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -60798,7 +62531,7 @@ index ad3068a..39a5a70 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,25 +664,440 @@ files_search_all(virt_domain) +@@ -449,25 +662,442 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -60806,12 +62539,12 @@ index ad3068a..39a5a70 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -60858,6 +62591,8 @@ index ad3068a..39a5a70 100644 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; + ++can_exec(virsh_t, virsh_exec_t) ++ +manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) @@ -61253,7 +62988,7 @@ index 2511093..9e5625e 100644 -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmware.te b/vmware.te -index f21389b..482db56 100644 +index f21389b..b8ed066 100644 --- a/vmware.te +++ b/vmware.te @@ -68,7 +68,7 @@ ifdef(`enable_mcs',` @@ -61265,7 +63000,15 @@ index f21389b..482db56 100644 dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; -@@ -122,6 +122,7 @@ dev_getattr_all_blk_files(vmware_host_t) +@@ -98,7 +98,6 @@ kernel_read_kernel_sysctls(vmware_host_t) + kernel_read_system_state(vmware_host_t) + kernel_read_network_state(vmware_host_t) + +-corenet_all_recvfrom_unlabeled(vmware_host_t) + corenet_all_recvfrom_netlabel(vmware_host_t) + corenet_tcp_sendrecv_generic_if(vmware_host_t) + corenet_udp_sendrecv_generic_if(vmware_host_t) +@@ -122,6 +121,7 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) @@ -61273,7 +63016,7 @@ index f21389b..482db56 100644 domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) -@@ -129,7 +130,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) +@@ -129,7 +129,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) files_list_tmp(vmware_host_t) files_read_etc_files(vmware_host_t) files_read_etc_runtime_files(vmware_host_t) @@ -61282,7 +63025,7 @@ index f21389b..482db56 100644 fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) -@@ -157,10 +158,22 @@ netutils_domtrans_ping(vmware_host_t) +@@ -157,10 +157,22 @@ netutils_domtrans_ping(vmware_host_t) optional_policy(` hostname_exec(vmware_host_t) @@ -61306,7 +63049,7 @@ index f21389b..482db56 100644 ') optional_policy(` -@@ -271,7 +284,7 @@ libs_read_lib_files(vmware_t) +@@ -271,7 +283,7 @@ libs_read_lib_files(vmware_t) miscfiles_read_localization(vmware_t) @@ -61398,7 +63141,7 @@ index 7b93e07..a4e2f60 100644 ######################################## diff --git a/vpn.te b/vpn.te -index 83a80ba..a7aefa0 100644 +index 83a80ba..bc840ec 100644 --- a/vpn.te +++ b/vpn.te @@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0) @@ -61429,7 +63172,15 @@ index 83a80ba..a7aefa0 100644 allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -@@ -80,18 +82,19 @@ domain_use_interactive_fds(vpnc_t) +@@ -51,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t) + kernel_request_load_module(vpnc_t) + kernel_rw_net_sysctls(vpnc_t) + +-corenet_all_recvfrom_unlabeled(vpnc_t) + corenet_all_recvfrom_netlabel(vpnc_t) + corenet_tcp_sendrecv_generic_if(vpnc_t) + corenet_udp_sendrecv_generic_if(vpnc_t) +@@ -80,18 +81,19 @@ domain_use_interactive_fds(vpnc_t) fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) @@ -61452,7 +63203,7 @@ index 83a80ba..a7aefa0 100644 libs_exec_ld_so(vpnc_t) libs_exec_lib_files(vpnc_t) -@@ -105,12 +108,13 @@ miscfiles_read_localization(vpnc_t) +@@ -105,12 +107,13 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) @@ -61497,6 +63248,18 @@ index 1174ad8..f4c4c1b 100644 sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) +diff --git a/watchdog.te b/watchdog.te +index b10bb05..4f7499e 100644 +--- a/watchdog.te ++++ b/watchdog.te +@@ -42,7 +42,6 @@ kernel_unmount_proc(watchdog_t) + corecmd_exec_shell(watchdog_t) + + # cjp: why networking? +-corenet_all_recvfrom_unlabeled(watchdog_t) + corenet_all_recvfrom_netlabel(watchdog_t) + corenet_tcp_sendrecv_generic_if(watchdog_t) + corenet_udp_sendrecv_generic_if(watchdog_t) diff --git a/wdmd.fc b/wdmd.fc new file mode 100644 index 0000000..ad47e05 @@ -61693,10 +63456,18 @@ index 0ecc786..e0f21c3 100644 files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) diff --git a/webalizer.te b/webalizer.te -index 32b4f76..d11a7ca 100644 +index 32b4f76..ea008d8 100644 --- a/webalizer.te +++ b/webalizer.te -@@ -69,24 +69,27 @@ fs_search_auto_mountpoints(webalizer_t) +@@ -59,7 +59,6 @@ files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) + kernel_read_kernel_sysctls(webalizer_t) + kernel_read_system_state(webalizer_t) + +-corenet_all_recvfrom_unlabeled(webalizer_t) + corenet_all_recvfrom_netlabel(webalizer_t) + corenet_tcp_sendrecv_generic_if(webalizer_t) + corenet_tcp_sendrecv_generic_node(webalizer_t) +@@ -69,24 +68,27 @@ fs_search_auto_mountpoints(webalizer_t) fs_getattr_xattr_fs(webalizer_t) fs_rw_anon_inodefs_files(webalizer_t) @@ -62122,7 +63893,7 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index d995c70..da9a6e1 100644 +index d995c70..a9a273a 100644 --- a/xen.te +++ b/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.11.1) @@ -62189,7 +63960,15 @@ index d995c70..da9a6e1 100644 allow xend_t xen_image_t:dir list_dir_perms; manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -@@ -294,12 +299,13 @@ corenet_sendrecv_soundd_server_packets(xend_t) +@@ -275,7 +280,6 @@ kernel_read_network_state(xend_t) + corecmd_exec_bin(xend_t) + corecmd_exec_shell(xend_t) + +-corenet_all_recvfrom_unlabeled(xend_t) + corenet_all_recvfrom_netlabel(xend_t) + corenet_tcp_sendrecv_generic_if(xend_t) + corenet_tcp_sendrecv_generic_node(xend_t) +@@ -294,12 +298,13 @@ corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) dev_read_urand(xend_t) @@ -62204,7 +63983,7 @@ index d995c70..da9a6e1 100644 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -309,7 +315,9 @@ files_etc_filetrans_etc_runtime(xend_t, file) +@@ -309,7 +314,9 @@ files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) @@ -62214,7 +63993,7 @@ index d995c70..da9a6e1 100644 term_use_generic_ptys(xend_t) term_use_ptmx(xend_t) term_getattr_pty_fs(xend_t) -@@ -320,13 +328,11 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -320,13 +327,11 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -62229,7 +64008,7 @@ index d995c70..da9a6e1 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +344,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -62238,7 +64017,7 @@ index d995c70..da9a6e1 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +353,27 @@ optional_policy(` +@@ -349,6 +352,27 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -62266,7 +64045,7 @@ index d995c70..da9a6e1 100644 ######################################## # # Xen console local policy -@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t) +@@ -374,8 +398,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -62275,7 +64054,7 @@ index d995c70..da9a6e1 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +435,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -62287,7 +64066,7 @@ index d995c70..da9a6e1 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +465,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -62299,7 +64078,7 @@ index d995c70..da9a6e1 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +483,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +482,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -62396,7 +64175,7 @@ index d995c70..da9a6e1 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +498,4 @@ optional_policy(` +@@ -559,8 +497,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') @@ -62406,10 +64185,18 @@ index d995c70..da9a6e1 100644 - ') ') diff --git a/xfs.te b/xfs.te -index 11c1b12..2eb8770 100644 +index 11c1b12..b376ff9 100644 --- a/xfs.te +++ b/xfs.te -@@ -57,7 +57,6 @@ fs_search_auto_mountpoints(xfs_t) +@@ -37,7 +37,6 @@ files_pid_filetrans(xfs_t, xfs_var_run_t, file) + kernel_read_kernel_sysctls(xfs_t) + kernel_read_system_state(xfs_t) + +-corenet_all_recvfrom_unlabeled(xfs_t) + corenet_all_recvfrom_netlabel(xfs_t) + corenet_tcp_sendrecv_generic_if(xfs_t) + corenet_tcp_sendrecv_generic_node(xfs_t) +@@ -57,7 +56,6 @@ fs_search_auto_mountpoints(xfs_t) domain_use_interactive_fds(xfs_t) @@ -62418,7 +64205,7 @@ index 11c1b12..2eb8770 100644 files_read_usr_files(xfs_t) diff --git a/xguest.te b/xguest.te -index e88b95f..6b9303f 100644 +index e88b95f..37e5758 100644 --- a/xguest.te +++ b/xguest.te @@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) @@ -62474,7 +64261,7 @@ index e88b95f..6b9303f 100644 ') ') -@@ -76,23 +87,97 @@ optional_policy(` +@@ -76,23 +87,96 @@ optional_policy(` ') optional_policy(` @@ -62526,7 +64313,6 @@ index e88b95f..6b9303f 100644 networkmanager_dbus_chat(xguest_t) + networkmanager_read_lib_files(xguest_t) corenet_tcp_connect_pulseaudio_port(xguest_t) -+ corenet_all_recvfrom_unlabeled(xguest_t) + corenet_all_recvfrom_netlabel(xguest_t) + corenet_tcp_sendrecv_generic_if(xguest_t) + corenet_raw_sendrecv_generic_if(xguest_t) @@ -62575,6 +64361,18 @@ index e88b95f..6b9303f 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) +diff --git a/xprint.te b/xprint.te +index 68d13e5..b71fae3 100644 +--- a/xprint.te ++++ b/xprint.te +@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) + corecmd_exec_bin(xprint_t) + corecmd_exec_shell(xprint_t) + +-corenet_all_recvfrom_unlabeled(xprint_t) + corenet_all_recvfrom_netlabel(xprint_t) + corenet_tcp_sendrecv_generic_if(xprint_t) + corenet_udp_sendrecv_generic_if(xprint_t) diff --git a/xscreensaver.te b/xscreensaver.te index 1487a4e..f6b4217 100644 --- a/xscreensaver.te @@ -62589,10 +64387,18 @@ index 1487a4e..f6b4217 100644 userdom_read_user_home_content_files(xscreensaver_t) diff --git a/yam.te b/yam.te -index 223ad43..4180662 100644 +index 223ad43..7950370 100644 --- a/yam.te +++ b/yam.te -@@ -71,7 +71,6 @@ corenet_sendrecv_rsync_client_packets(yam_t) +@@ -58,7 +58,6 @@ corecmd_exec_bin(yam_t) + + # Rsync and lftp need to network. They also set files attributes to + # match whats on the remote server. +-corenet_all_recvfrom_unlabeled(yam_t) + corenet_all_recvfrom_netlabel(yam_t) + corenet_tcp_sendrecv_generic_if(yam_t) + corenet_tcp_sendrecv_generic_node(yam_t) +@@ -71,7 +70,6 @@ corenet_sendrecv_rsync_client_packets(yam_t) # mktemp dev_read_urand(yam_t) @@ -62600,7 +64406,7 @@ index 223ad43..4180662 100644 files_read_etc_runtime_files(yam_t) # /usr/share/createrepo/genpkgmetadata.py: files_exec_usr_files(yam_t) -@@ -83,16 +82,17 @@ fs_search_auto_mountpoints(yam_t) +@@ -83,16 +81,17 @@ fs_search_auto_mountpoints(yam_t) # Content can also be on ISO image files. fs_read_iso9660_files(yam_t) @@ -62888,7 +64694,7 @@ index 21ae664..cb3a098 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/zarafa.te b/zarafa.te -index 9fb4747..bd73b2a 100644 +index 9fb4747..3879499 100644 --- a/zarafa.te +++ b/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -62902,7 +64708,15 @@ index 9fb4747..bd73b2a 100644 zarafa_domain_template(monitor) zarafa_domain_template(server) -@@ -57,6 +61,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) +@@ -49,7 +53,6 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + allow zarafa_gateway_t self:capability { chown kill }; + allow zarafa_gateway_t self:process setrlimit; + +-corenet_all_recvfrom_unlabeled(zarafa_gateway_t) + corenet_all_recvfrom_netlabel(zarafa_gateway_t) + corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) + corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) +@@ -57,6 +60,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) @@ -62924,7 +64738,15 @@ index 9fb4747..bd73b2a 100644 ####################################### # # zarafa-ical local policy -@@ -93,7 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) +@@ -64,7 +82,6 @@ corenet_tcp_bind_pop_port(zarafa_gateway_t) + + allow zarafa_ical_t self:capability chown; + +-corenet_all_recvfrom_unlabeled(zarafa_ical_t) + corenet_all_recvfrom_netlabel(zarafa_ical_t) + corenet_tcp_sendrecv_generic_if(zarafa_ical_t) + corenet_tcp_sendrecv_generic_node(zarafa_ical_t) +@@ -93,11 +110,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) @@ -62934,7 +64756,11 @@ index 9fb4747..bd73b2a 100644 stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) -@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) +-corenet_all_recvfrom_unlabeled(zarafa_server_t) + corenet_all_recvfrom_netlabel(zarafa_server_t) + corenet_tcp_sendrecv_generic_if(zarafa_server_t) + corenet_tcp_sendrecv_generic_node(zarafa_server_t) +@@ -107,7 +124,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) files_read_usr_files(zarafa_server_t) @@ -62942,7 +64768,15 @@ index 9fb4747..bd73b2a 100644 logging_send_audit_msgs(zarafa_server_t) sysnet_dns_name_resolve(zarafa_server_t) -@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t) +@@ -129,7 +145,6 @@ allow zarafa_spooler_t self:capability { chown kill }; + + can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) + +-corenet_all_recvfrom_unlabeled(zarafa_spooler_t) + corenet_all_recvfrom_netlabel(zarafa_spooler_t) + corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) + corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) +@@ -138,6 +153,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t) ######################################## # @@ -62975,7 +64809,7 @@ index 9fb4747..bd73b2a 100644 # zarafa domains local policy # -@@ -152,10 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var +@@ -152,10 +193,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) @@ -63023,7 +64857,7 @@ index 6b87605..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index ade6c2c..232b7bd 100644 +index ade6c2c..f043f14 100644 --- a/zebra.te +++ b/zebra.te @@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0) @@ -63052,7 +64886,15 @@ index ade6c2c..232b7bd 100644 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) -@@ -106,6 +106,8 @@ files_search_etc(zebra_t) +@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t) + kernel_read_kernel_sysctls(zebra_t) + kernel_rw_net_sysctls(zebra_t) + +-corenet_all_recvfrom_unlabeled(zebra_t) + corenet_all_recvfrom_netlabel(zebra_t) + corenet_tcp_sendrecv_generic_if(zebra_t) + corenet_udp_sendrecv_generic_if(zebra_t) +@@ -106,6 +105,8 @@ files_search_etc(zebra_t) files_read_etc_files(zebra_t) files_read_etc_runtime_files(zebra_t) @@ -63061,7 +64903,7 @@ index ade6c2c..232b7bd 100644 logging_send_syslog_msg(zebra_t) miscfiles_read_localization(zebra_t) -@@ -115,7 +117,7 @@ sysnet_read_config(zebra_t) +@@ -115,7 +116,7 @@ sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) userdom_dontaudit_search_user_home_dirs(zebra_t) @@ -63072,10 +64914,10 @@ index ade6c2c..232b7bd 100644 diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..20555d7 +index 0000000..e1602ec --- /dev/null +++ b/zoneminder.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,24 @@ +/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) @@ -63088,6 +64930,8 @@ index 0000000..20555d7 + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) + ++/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) ++ +/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) + +/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 69aa863..d9a2698 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 27 2012 Miroslav Grepl 3.11.0-13 +- Add systemd_logind_inhibit_var_run_t attribute +- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type +- Add interface for mysqld to dontaudit signull to all processes +- Label new /var/run/journal directory correctly +- Allow users to inhibit suspend via systemd +- Add new type for the /var/run/inhibit directory +- Add interface to send signull to systemd_login so avahi can send them +- Allow systemd_passwd to send syslog messages +- Remove corenet_all_recvfrom_unlabeled() calling fro policy files +- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group +- Allow smbd to read cluster config +- Add additional labeling for passenger +- Allow dbus to inhibit suspend via systemd +- Allow avahi to send signull to systemd_login + * Mon Jul 23 2012 Miroslav Grepl 3.11.0-12 - Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login