From f5f6812fa46741892a05f6976af0896fb45a2faa Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Aug 21 2015 08:11:52 +0000
Subject: - Add ipmievd policy creaed by vmojzis@redhat.com
- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index bd4d1a9..783906b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3194,7 +3194,7 @@ index 1d732f1..f6ff7aa 100644
+ stapserver_manage_lib(useradd_t)
+')
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..1a2084f 100644
+index 1dc7a85..e4f6fc2 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -43,18 +43,18 @@ interface(`seunshare_run',`
@@ -3223,7 +3223,7 @@ index 1dc7a85..1a2084f 100644
##
##
## Role allowed access.
-@@ -66,15 +66,45 @@ interface(`seunshare_run',`
+@@ -66,15 +66,47 @@ interface(`seunshare_run',`
##
##
#
@@ -3243,6 +3243,8 @@ index 1dc7a85..1a2084f 100644
- seunshare_domtrans($1)
+ kernel_read_system_state($1_seunshare_t)
+
++ domain_dyntrans_type($1_seunshare_t)
++
+ auth_use_nsswitch($1_seunshare_t)
+
+ logging_send_syslog_msg($1_seunshare_t)
@@ -6193,7 +6195,7 @@ index b31c054..d500876 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..450a2b7 100644
+index 76f285e..68ef8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6894,7 +6896,57 @@ index 76f285e..450a2b7 100644
##
##
##
-@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',`
+@@ -2532,6 +2956,24 @@ interface(`dev_read_raw_memory',`
+
+ ########################################
+ ##
++## Allow to be reader of raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_raw_memory_reader',`
++ gen_require(`
++ attribute memory_raw_read;
++ ')
++
++ typeattribute $1 memory_raw_read;
++')
++
++########################################
++##
+ ## Do not audit attempts to read raw memory devices
+ ## (e.g. /dev/mem).
+ ##
+@@ -2573,6 +3015,24 @@ interface(`dev_write_raw_memory',`
+
+ ########################################
+ ##
++## Allow to be writer of raw memory devices (e.g. /dev/mem).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_raw_memory_writer',`
++ gen_require(`
++ attribute memory_raw_write;
++ ')
++
++ typeattribute $1 memory_raw_write;
++')
++
++########################################
++##
+ ## Read and execute raw memory devices (e.g. /dev/mem).
+ ##
+ ##
+@@ -2725,7 +3185,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -6903,7 +6955,7 @@ index 76f285e..450a2b7 100644
##
##
#
-@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3271,78 @@ interface(`dev_rw_modem',`
########################################
##
@@ -6982,7 +7034,7 @@ index 76f285e..450a2b7 100644
## Get the attributes of the mouse devices.
##
##
-@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3435,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -7007,7 +7059,7 @@ index 76f285e..450a2b7 100644
##
##
##
-@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3457,34 @@ interface(`dev_getattr_mtrr_dev',`
##
##
#
@@ -7063,7 +7115,7 @@ index 76f285e..450a2b7 100644
## range registers (MTRR).
##
##
-@@ -2970,13 +3457,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3493,32 @@ interface(`dev_write_mtrr',`
##
##
#
@@ -7099,11 +7151,10 @@ index 76f285e..450a2b7 100644
')
########################################
-@@ -3144,7 +3650,43 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3686,42 @@ interface(`dev_create_null_dev',`
########################################
##
--## Do not audit attempts to get the attributes
+## Get the status of a null device service.
+##
+##
@@ -7140,11 +7191,10 @@ index 76f285e..450a2b7 100644
+
+########################################
+##
-+## Do not audit attempts to get the attributes
+ ## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
##
- ##
-@@ -3163,6 +3705,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3741,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
##
@@ -7169,7 +7219,7 @@ index 76f285e..450a2b7 100644
## Read and write BIOS non-volatile RAM.
##
##
-@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3850,25 @@ interface(`dev_rw_printer',`
########################################
##
@@ -7196,7 +7246,7 @@ index 76f285e..450a2b7 100644
##
##
##
-@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3876,13 @@ interface(`dev_rw_printer',`
##
##
#
@@ -7213,7 +7263,7 @@ index 76f285e..450a2b7 100644
')
########################################
-@@ -3399,7 +3978,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4014,7 @@ interface(`dev_dontaudit_read_rand',`
########################################
##
@@ -7222,7 +7272,7 @@ index 76f285e..450a2b7 100644
## number generator devices (e.g., /dev/random)
##
##
-@@ -3413,7 +3992,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4028,7 @@ interface(`dev_dontaudit_append_rand',`
type random_device_t;
')
@@ -7231,213 +7281,760 @@ index 76f285e..450a2b7 100644
')
########################################
-@@ -3855,6 +4434,114 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4470,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
+-## Search the sysfs directories.
+## Set the attributes of sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -3863,91 +4478,89 @@ interface(`dev_getattr_sysfs_dirs',`
+ ##
+ ##
+ #
+-interface(`dev_search_sysfs',`
+interface(`dev_setattr_sysfs_dirs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- search_dirs_pattern($1, sysfs_t, sysfs_t)
+ allow $1 sysfs_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search sysfs.
+## Get attributes of sysfs filesystems.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_search_sysfs',`
+interface(`dev_getattr_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir search_dir_perms;
+ allow $1 sysfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List the contents of the sysfs directories.
+## Mount a filesystem on /sys
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain allow access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_list_sysfs',`
+interface(`dev_mounton_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
+ allow $1 sysfs_t:dir mounton;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write in a sysfs directories.
+## Dontaudit attempts to mount a filesystem on /sys
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_mounton_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ dontaudit $1 sysfs_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Mount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_mount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Unmount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_unmount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Search the sysfs directories.
##
##
-@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',`
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
++interface(`dev_dontaudit_mounton_sysfs',`
+ gen_require(`
type sysfs_t;
')
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+- allow $1 sysfs_t:dir write;
++ dontaudit $1 sysfs_t:dir mounton;
')
-@@ -3928,6 +4616,24 @@ interface(`dev_write_sysfs_dirs',`
-
########################################
##
-+## Access check for a sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_access_check_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:dir audit_access;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write in a sysfs directory.
+-## Do not audit attempts to write in a sysfs directory.
++## Mount sysfs filesystems.
##
##
-@@ -3946,23 +4652,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem mount;
+ ')
########################################
##
-## Create, read, write, and delete sysfs
-## directories.
-+## Read cpu online hardware state information.
++## Unmount sysfs filesystems.
##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
##
##
- ## Domain allowed access.
+@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
-interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+##
-+## Relabel cpu online hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_unmount_sysfs_fs',`
gen_require(`
-+ type cpu_online_t;
type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
++ allow $1 sysfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ##
+-## Read hardware state information.
++## Search the sysfs directories.
+ ##
+-##
+-##
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- read_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify hardware state information.
++## Do not audit attempts to search sysfs.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- rw_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write the TPM device.
++## List the contents of the sysfs directories.
+ ##
+ ##
+ ##
+@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Write in a sysfs directories.
+ ##
+-##
+-##
+-## Allow the specified domain to read from pseudo random number
+-## generator devices (e.g., /dev/urandom). Typically this is
+-## used in situations when a cryptographically secure random
+-## number is not necessarily needed. One example is the Stack
+-## Smashing Protector (SSP, formerly known as ProPolice) support
+-## that may be compiled into programs.
+-##
+-##
+-## Related interface:
+-##
+-##
+-## - dev_read_rand()
+-##
+-##
+-## Related tunable:
+-##
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_urand',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, urandom_device_t)
++ allow $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read from pseudo
+-## random devices (e.g., /dev/urandom)
++## Access check for a sysfs directories.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_access_check_sysfs',`
+ gen_require(`
+- type urandom_device_t;
++ type sysfs_t;
+ ')
+
+- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ allow $1 sysfs_t:dir audit_access;
+ ')
+
+ ########################################
+ ##
+-## Write to the pseudo random device (e.g., /dev/urandom). This
+-## sets the random number generator seed.
++## Do not audit attempts to write in a sysfs directory.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_urand',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, urandom_device_t)
++ dontaudit $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Getattr generic the USB devices.
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_getattr_generic_usb_dev',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+ ##
+-## Setattr generic the USB devices.
++## Relabel cpu online hardware state information.
+ ##
+ ##
+ ##
+@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_generic_usb_dev',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
++ type sysfs_t;
+ ')
+
+- setattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
+ allow $1 cpu_online_t:file relabel_file_perms;
')
+
- ########################################
- ##
- ## Read hardware state information.
-@@ -4016,6 +4748,62 @@ interface(`dev_rw_sysfs',`
-
- ########################################
- ##
-+## Relabel hardware state directories.
+ ########################################
+ ##
+-## Read generic the USB devices.
++## Read hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`dev_read_generic_usb_dev',`
++interface(`dev_read_sysfs',`
+ gen_require(`
+- type usb_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, usb_device_t)
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write generic the USB devices.
++## Allow caller to modify hardware state information.
+ ##
+ ##
+ ##
+@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_generic_usb_dev',`
++interface(`dev_rw_sysfs',`
+ gen_require(`
+- type device_t, usb_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, usb_device_t)
++ rw_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel generic the USB devices.
++## Relabel hardware state directories.
+ ##
+ ##
+ ##
+@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_relabel_generic_usb_dev',`
++interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+- type usb_device_t;
++ type sysfs_t;
+ ')
+
+- relabel_chr_files_pattern($1, device_t, usb_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read USB monitor devices.
++## Relabel hardware state files
+ ##
+ ##
+ ##
+@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbmon_dev',`
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Read and write the TPM device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_tpm',`
++ gen_require(`
++ type device_t, tpm_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
++########################################
++##
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
++##
++##
++##
++## Allow the specified domain to read from pseudo random number
++## generator devices (e.g., /dev/urandom). Typically this is
++## used in situations when a cryptographically secure random
++## number is not necessarily needed. One example is the Stack
++## Smashing Protector (SSP, formerly known as ProPolice) support
++## that may be compiled into programs.
++##
++##
++## Related interface:
++##
++##
++## - dev_read_rand()
++##
++##
++## Related tunable:
++##
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to read from pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++##
++## Write to the pseudo random device (e.g., /dev/urandom). This
++## sets the random number generator seed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
++
++########################################
++##
++## Getattr generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t,device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Setattr generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read and write generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_generic_usb_dev',`
++ gen_require(`
++ type device_t, usb_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Relabel generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ relabel_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read USB monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_usbmon_dev',`
+ gen_require(`
+ type device_t, usbmon_device_t;
+ ')
+@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',`
+ #
+ interface(`dev_associate_usbfs',`
+ gen_require(`
+- type usbfs_t;
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:filesystem associate;
++')
++
++########################################
++##
++## Get the attributes of a directory in the usb filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of a directory in the usb filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ dontaudit $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Search the directory containing USB hardware information.
+##
+##
+##
@@ -7445,17 +8042,17 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_search_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Relabel hardware state files
++## Allow caller to get a list of usb hardware.
+##
+##
+##
@@ -7463,19 +8060,20 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_list_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Allow caller to modify hardware state information.
++## Set the attributes of usbfs filesystem.
+##
+##
+##
@@ -7483,266 +8081,425 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_setattr_usbfs_files',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ setattr_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Read and write the TPM device.
- ##
- ##
-@@ -4113,6 +4901,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
-+## Do not audit attempts to write to pseudo
-+## random devices (e.g., /dev/urandom)
++## Read USB hardware information using
++## the usbfs filesystem interface.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_write_urand',`
++interface(`dev_read_usbfs',`
+ gen_require(`
-+ type urandom_device_t;
++ type usbfs_t;
+ ')
+
-+ dontaudit $1 urandom_device_t:chr_file write;
++ read_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Getattr generic the USB devices.
++## Allow caller to modify usb hardware configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_usbfs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ rw_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++')
++
++######################################
++##
++## Read and write userio device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_userio_dev',`
++ gen_require(`
++ type device_t, userio_device_t;
+ ')
+
+- allow $1 usbfs_t:filesystem associate;
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of a directory in the usb filesystem.
++## Get the attributes of video4linux devices.
##
##
-@@ -4123,7 +4930,7 @@ interface(`dev_write_urand',`
+ ##
+@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',`
+ ##
+ ##
#
- interface(`dev_getattr_generic_usb_dev',`
+-interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_getattr_video_dev',`
gen_require(`
-- type usb_device_t;
-+ type usb_device_t,device_t;
+- type usbfs_t;
++ type device_t, v4l_device_t;
')
- getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5216,9 @@ interface(`dev_rw_usbfs',`
- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- allow $1 usbfs_t:dir getattr_dir_perms;
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
--########################################
-+######################################
+ ########################################
##
--## Get the attributes of video4linux devices.
-+## Read and write userio device.
+ ## Do not audit attempts to get the attributes
+-## of a directory in the usb filesystem.
++## of video4linux device nodes.
##
##
##
-@@ -4419,17 +5226,17 @@ interface(`dev_rw_usbfs',`
+@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',`
##
##
#
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_userio_dev',`
+-interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, userio_device_t;
+- type usbfs_t;
++ type v4l_device_t;
')
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
+- dontaudit $1 usbfs_t:dir getattr_dir_perms;
++ dontaudit $1 v4l_device_t:chr_file getattr;
')
--######################################
-+########################################
+ ########################################
##
--## Read and write userio device.
-+## Get the attributes of video4linux devices.
+-## Search the directory containing USB hardware information.
++## Set the attributes of video4linux device nodes.
##
##
##
-@@ -4437,12 +5244,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
##
##
#
--interface(`dev_rw_userio_dev',`
-+interface(`dev_getattr_video_dev',`
+-interface(`dev_search_usbfs',`
++interface(`dev_setattr_video_dev',`
gen_require(`
-- type device_t, userio_device_t;
+- type usbfs_t;
+ type device_t, v4l_device_t;
')
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+- search_dirs_pattern($1, usbfs_t, usbfs_t)
++ setattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to get a list of usb hardware.
++## Do not audit attempts to set the attributes
++## of video4linux device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type v4l_device_t;
+ ')
+
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 v4l_device_t:chr_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of usbfs filesystem.
++## Read the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- setattr_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
-@@ -4539,6 +5346,134 @@ interface(`dev_write_video_dev',`
+ ##
+-## Read USB hardware information using
+-## the usbfs filesystem interface.
++## Write the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_write_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- read_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
########################################
##
+-## Allow caller to modify usb hardware configuration files.
+## Get the attributes of vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_usbfs',`
+interface(`dev_getattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type usbfs_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
+- rw_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of video4linux devices.
+## Do not audit attempts to get the attributes
+## of vfio device nodes.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
+interface(`dev_dontaudit_getattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type vfio_device_t;
-+ ')
-+
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ dontaudit $1 vfio_device_t:chr_file getattr;
-+')
-+
+ ')
+
+-######################################
+########################################
-+##
+ ##
+-## Read and write userio device.
+## Set the attributes of vfio device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
+interface(`dev_setattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, userio_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of video4linux device nodes.
+## Do not audit attempts to set the attributes
+## of vfio device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
+interface(`dev_dontaudit_setattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type v4l_device_t;
+ type vfio_device_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file getattr;
+ dontaudit $1 vfio_device_t:chr_file setattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of video4linux device nodes.
+## Read the vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_video_dev',`
+interface(`dev_read_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- setattr_chr_files_pattern($1, device_t, v4l_device_t)
+ read_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes
+-## of video4linux device nodes.
+## Write the vfio devices.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
+interface(`dev_write_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file setattr;
+ write_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read the video4linux devices.
+## Read and write the VFIO devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_video_dev',`
+interface(`dev_rw_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- read_chr_files_pattern($1, device_t, v4l_device_t)
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
- ## Allow read/write the vhost net device
+ ')
+
+ ########################################
+ ##
+-## Write the video4linux devices.
++## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5492,24 @@ interface(`dev_rw_vhost',`
+ ##
+@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_rw_vhost',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
########################################
##
+-## Allow read/write the vhost net device
+## Allow read/write inheretid the vhost net device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_vhost',`
-+ gen_require(`
-+ type device_t, vhost_device_t;
-+ ')
-+
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Read and write VMWare devices.
##
##
-@@ -4630,6 +5583,24 @@ interface(`dev_write_watchdog',`
+ ##
+@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -7767,7 +8524,7 @@ index 76f285e..450a2b7 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5733,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7812,7 +8569,7 @@ index 76f285e..450a2b7 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5860,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5896,966 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10019,7 +10776,7 @@ index b876c48..a351aff 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1a36ae2 100644
+index f962f76..a226015 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10760,7 +11517,7 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10773,7 +11530,20 @@ index f962f76..1a36ae2 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
++ auth_relabelto_shadow($1)
+ ')
+
+ ########################################
+@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
++ auth_reader_shadow($1)
++ auth_writer_shadow($1)
+ ')
+
+ ########################################
+@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
########################################
##
@@ -10798,17 +11568,18 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
- # device nodes with file types.
+@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
--
+
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
')
#############################################
-@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -10833,7 +11604,7 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2121,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -10858,7 +11629,14 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1703,104 +2151,86 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
++ dontaudit $1 self:capability dac_override;
+
+ dontaudit $1 mountpoint:dir write;
+ ')
########################################
##
@@ -10978,7 +11756,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',`
+@@ -1808,18 +2238,128 @@ interface(`files_root_filetrans',`
##
##
#
@@ -10995,6 +11773,7 @@ index f962f76..1a36ae2 100644
########################################
##
-## Do not audit attempts to read or write
+-## files in the root directory.
+## Do not audit attempts to write to / dirs.
+##
+##
@@ -11106,10 +11885,11 @@ index f962f76..1a36ae2 100644
+########################################
+##
+## Do not audit attempts to read or write
- ## files in the root directory.
++## files in the root directory.
##
##
-@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',`
+ ##
+@@ -1892,25 +2432,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -11141,7 +11921,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2463,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -11150,7 +11930,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2486,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -11193,7 +11973,7 @@ index f962f76..1a36ae2 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2757,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -11218,7 +11998,7 @@ index f962f76..1a36ae2 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3239,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -11243,7 +12023,7 @@ index f962f76..1a36ae2 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3328,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -11251,7 +12031,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3337,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -11260,7 +12040,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3393,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -11286,7 +12066,7 @@ index f962f76..1a36ae2 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3430,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -11311,7 +12091,7 @@ index f962f76..1a36ae2 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3613,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -11336,7 +12116,7 @@ index f962f76..1a36ae2 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3653,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -11347,7 +12127,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3661,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -11369,7 +12149,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3689,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -11396,7 +12176,7 @@ index f962f76..1a36ae2 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3726,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -11404,7 +12184,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3748,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -11412,7 +12192,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,34 +3793,34 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -11455,7 +12235,7 @@ index f962f76..1a36ae2 100644
## that have not yet been labeled.
##
##
-@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3178,12 +3829,50 @@ interface(`files_dontaudit_search_isid_type_dirs',`
##
##
#
@@ -11468,11 +12248,10 @@ index f962f76..1a36ae2 100644
- allow $1 file_t:dir list_dir_perms;
+ allow $1 unlabeled_t:dir setattr;
- ')
-
- ########################################
- ##
--## Read and write directories on new filesystems
++')
++
++########################################
++##
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+##
@@ -11507,15 +12286,10 @@ index f962f76..1a36ae2 100644
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read and write directories on new filesystems
- ## that have not yet been labeled.
- ##
- ##
-@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',`
+ ')
+
+ ########################################
+@@ -3199,10 +3888,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -11528,7 +12302,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3907,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -11571,9 +12345,8 @@ index f962f76..1a36ae2 100644
+interface(`files_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
++ ')
++
+ allow $1 unlabeled_t:dir mounton;
+')
+
@@ -11591,13 +12364,14 @@ index f962f76..1a36ae2 100644
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
-@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3982,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -11610,7 +12384,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4001,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -11642,7 +12416,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4039,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -11655,7 +12429,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4058,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -11668,7 +12442,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4077,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -11681,7 +12455,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4096,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -11694,7 +12468,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4115,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -11707,7 +12481,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4134,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -11720,7 +12494,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4153,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -11733,7 +12507,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4172,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -11746,7 +12520,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4191,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -11759,7 +12533,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4210,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -11772,7 +12546,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4229,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -11804,7 +12578,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4267,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -11817,7 +12591,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4286,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -11830,7 +12604,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4335,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -11858,7 +12632,7 @@ index f962f76..1a36ae2 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4618,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -11902,7 +12676,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -12078,7 +12852,7 @@ index f962f76..1a36ae2 100644
########################################
##
## Allow the specified type to associate
-@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -12105,7 +12879,7 @@ index f962f76..1a36ae2 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -12144,7 +12918,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -12153,7 +12927,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -12161,7 +12935,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -12170,7 +12944,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -12187,8 +12961,9 @@ index f962f76..1a36ae2 100644
+##
+## Domain not to audit.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
@@ -12206,10 +12981,10 @@ index f962f76..1a36ae2 100644
+##
+## Domain allowed access.
+##
- ##
- #
- interface(`files_delete_tmp_dir_entry',`
-@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',`
++##
++#
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
type tmp_t;
')
@@ -12217,7 +12992,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -12250,7 +13025,7 @@ index f962f76..1a36ae2 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -12293,7 +13068,7 @@ index f962f76..1a36ae2 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -12354,7 +13129,7 @@ index f962f76..1a36ae2 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -12363,7 +13138,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -12372,7 +13147,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -12417,7 +13192,7 @@ index f962f76..1a36ae2 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12434,7 +13209,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -12459,7 +13234,7 @@ index f962f76..1a36ae2 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6470,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6477,24 @@ interface(`files_list_var',`
########################################
##
@@ -12484,7 +13259,7 @@ index f962f76..1a36ae2 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -12493,7 +13268,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -12519,7 +13294,7 @@ index f962f76..1a36ae2 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -12545,7 +13320,7 @@ index f962f76..1a36ae2 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -12554,7 +13329,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -12570,7 +13345,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5672,6 +6958,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6965,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -12578,7 +13353,7 @@ index f962f76..1a36ae2 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -12606,7 +13381,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -12623,7 +13398,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -12632,7 +13407,7 @@ index f962f76..1a36ae2 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -12640,7 +13415,7 @@ index f962f76..1a36ae2 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -12649,7 +13424,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -12684,7 +13459,7 @@ index f962f76..1a36ae2 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -12702,7 +13477,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -12713,7 +13488,7 @@ index f962f76..1a36ae2 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -12723,7 +13498,7 @@ index f962f76..1a36ae2 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -12733,7 +13508,7 @@ index f962f76..1a36ae2 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -12743,7 +13518,7 @@ index f962f76..1a36ae2 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -12752,7 +13527,7 @@ index f962f76..1a36ae2 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7317,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7324,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -12801,7 +13576,7 @@ index f962f76..1a36ae2 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -12845,7 +13620,7 @@ index f962f76..1a36ae2 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7439,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -12854,7 +13629,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -12863,7 +13638,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -12872,7 +13647,7 @@ index f962f76..1a36ae2 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12880,7 +13655,7 @@ index f962f76..1a36ae2 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -12905,7 +13680,7 @@ index f962f76..1a36ae2 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -12914,7 +13689,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -12977,7 +13752,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -13027,7 +13802,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13051,7 +13826,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -13103,7 +13878,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7806,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
@@ -13126,7 +13901,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6424,18 +7817,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7824,18 @@ interface(`files_list_spool',`
##
##
#
@@ -13150,7 +13925,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7843,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -13175,7 +13950,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6463,109 +7855,62 @@ interface(`files_read_generic_spool',`
+@@ -6463,109 +7862,62 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -13306,7 +14081,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6573,10 +7918,944 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7925,944 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -17276,7 +18051,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..991e1a5 100644
+index e100d88..d2fc766 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17536,7 +18311,7 @@ index e100d88..991e1a5 100644
## Do not audit attempts to list all proc directories.
##
##
-@@ -1477,6 +1640,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -17551,9 +18326,13 @@ index e100d88..991e1a5 100644
+interface(`kernel_read_all_proc',`
+ gen_require(`
+ attribute proc_type;
++ attribute can_dump_kernel;
++ attribute can_receive_kernel_messages;
+ ')
+
+ read_files_pattern($1, proc_type, proc_type)
++ typeattribute $1 can_dump_kernel;
++ typeattribute $1 can_receive_kernel_messages;
+')
+
+########################################
@@ -17561,7 +18340,7 @@ index e100d88..991e1a5 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -1672,7 +1853,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17570,7 +18349,7 @@ index e100d88..991e1a5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1874,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17579,7 +18358,7 @@ index e100d88..991e1a5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1896,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17587,7 +18366,7 @@ index e100d88..991e1a5 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1930,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
##
##
@@ -17605,7 +18384,7 @@ index e100d88..991e1a5 100644
')
########################################
-@@ -1771,16 +1944,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17623,7 +18402,7 @@ index e100d88..991e1a5 100644
')
########################################
-@@ -1792,16 +1958,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
##
##
@@ -17641,7 +18420,7 @@ index e100d88..991e1a5 100644
')
########################################
-@@ -1813,16 +1972,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
##
##
@@ -17659,7 +18438,7 @@ index e100d88..991e1a5 100644
')
########################################
-@@ -2085,9 +2237,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17689,7 +18468,7 @@ index e100d88..991e1a5 100644
########################################
##
## Allow caller to read all sysctls.
-@@ -2282,6 +2453,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -17715,7 +18494,7 @@ index e100d88..991e1a5 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2496,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -17724,7 +18503,7 @@ index e100d88..991e1a5 100644
##
##
#
-@@ -2488,6 +2678,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -17749,7 +18528,7 @@ index e100d88..991e1a5 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2733,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -17774,7 +18553,7 @@ index e100d88..991e1a5 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2667,16 +2893,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -17818,7 +18597,7 @@ index e100d88..991e1a5 100644
##
##
##
-@@ -2694,6 +2938,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -17844,7 +18623,7 @@ index e100d88..991e1a5 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2803,6 +3066,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17878,7 +18657,7 @@ index e100d88..991e1a5 100644
########################################
##
-@@ -2958,6 +3248,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -17903,7 +18682,7 @@ index e100d88..991e1a5 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2972,5 +3280,628 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -18534,7 +19313,7 @@ index e100d88..991e1a5 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..46d7f18 100644
+index 8dbab4c..a85c5d7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -18690,7 +19469,7 @@ index 8dbab4c..46d7f18 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +315,53 @@ files_list_root(kernel_t)
+@@ -277,25 +315,54 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -18720,6 +19499,7 @@ index 8dbab4c..46d7f18 100644
+
+optional_policy(`
+ abrt_filetrans_named_content(kernel_t)
++ abrt_dump_oops_domtrans(kernel_t)
+')
+
+optional_policy(`
@@ -18744,7 +19524,7 @@ index 8dbab4c..46d7f18 100644
')
optional_policy(`
-@@ -305,6 +371,19 @@ optional_policy(`
+@@ -305,6 +372,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -18764,7 +19544,7 @@ index 8dbab4c..46d7f18 100644
')
optional_policy(`
-@@ -312,6 +391,11 @@ optional_policy(`
+@@ -312,6 +392,11 @@ optional_policy(`
')
optional_policy(`
@@ -18776,7 +19556,7 @@ index 8dbab4c..46d7f18 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +416,6 @@ optional_policy(`
+@@ -332,9 +417,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@@ -18786,7 +19566,7 @@ index 8dbab4c..46d7f18 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +424,7 @@ optional_policy(`
+@@ -343,9 +425,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -18797,7 +19577,7 @@ index 8dbab4c..46d7f18 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +433,7 @@ optional_policy(`
+@@ -354,7 +434,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -18806,7 +19586,7 @@ index 8dbab4c..46d7f18 100644
')
')
-@@ -367,6 +446,15 @@ optional_policy(`
+@@ -367,6 +447,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -18822,7 +19602,7 @@ index 8dbab4c..46d7f18 100644
########################################
#
# Unlabeled process local policy
-@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@@ -19433,10 +20213,10 @@ index 54f1827..6910c88 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..542299c 100644
+index 64c4cd0..52070af 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
-@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
+@@ -22,6 +22,30 @@ interface(`storage_getattr_fixed_disk_dev',`
########################################
##
@@ -19451,11 +20231,15 @@ index 64c4cd0..542299c 100644
+#
+interface(`storage_rw_inherited_fixed_disk_dev',`
+ gen_require(`
-+ type fixed_disk_device_t;
++ type fixed_disk_device_t;
++ attribute fixed_disk_raw_read;
++ attribute fixed_disk_raw_write;
+ ')
+
-+ allow $1 fixed_disk_device_t:chr_file { read write };
-+ allow $1 fixed_disk_device_t:blk_file { read write };
++ allow $1 fixed_disk_device_t:chr_file { read write };
++ allow $1 fixed_disk_device_t:blk_file { read write };
++ typeattribute $1 fixed_disk_raw_read;
++ typeattribute $1 fixed_disk_raw_write;
+')
+
+########################################
@@ -19463,7 +20247,7 @@ index 64c4cd0..542299c 100644
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
##
-@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
+@@ -101,6 +125,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
@@ -19472,7 +20256,7 @@ index 64c4cd0..542299c 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
+@@ -186,6 +212,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
interface(`storage_raw_rw_fixed_disk',`
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
@@ -19480,7 +20264,7 @@ index 64c4cd0..542299c 100644
')
########################################
-@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -205,6 +232,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -19488,7 +20272,7 @@ index 64c4cd0..542299c 100644
dev_add_entry_generic_dirs($1)
')
-@@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -274,6 +302,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
')
@@ -19537,7 +20321,7 @@ index 64c4cd0..542299c 100644
########################################
##
## Create block devices in on a tmpfs filesystem with the
-@@ -295,6 +361,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+@@ -295,6 +365,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
########################################
##
@@ -19563,7 +20347,43 @@ index 64c4cd0..542299c 100644
## Relabel fixed disk device nodes.
##
##
-@@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -478,6 +567,35 @@ interface(`storage_write_scsi_generic',`
+ typeattribute $1 scsi_generic_write;
+ ')
+
++
++########################################
++##
++## Allow the caller to directly read and write, in a
++## generic fashion, from any SCSI device.
++## This is extremly dangerous as it can bypass the
++## SELinux protections for filesystem objects, and
++## should only be used by trusted domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_rw_inherited_scsi_generic',`
++ gen_require(`
++ attribute scsi_generic_read;
++ attribute scsi_generic_write;
++ type scsi_generic_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms;
++ allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms;
++ typeattribute $1 scsi_generic_write;
++ typeattribute $1 scsi_generic_read;
++')
++
+ ########################################
+ ##
+ ## Set attributes of the device nodes
+@@ -716,6 +834,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -19588,7 +20408,7 @@ index 64c4cd0..542299c 100644
########################################
##
## Allow the caller to directly read
-@@ -813,3 +916,452 @@ interface(`storage_unconfined',`
+@@ -813,3 +949,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -29100,7 +29920,7 @@ index 2479587..890e1e2 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..9e85ea0 100644
+index 3efd5b6..3db526f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -29651,33 +30471,75 @@ index 3efd5b6..9e85ea0 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
--')
--
--########################################
--##
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+ ')
+
+ ########################################
+ ##
-## Relabel login record files.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Read access to the authlogin module.
+ ##
++##
++##
++## Read access to the authlogin module.
++##
++##
++## Currently, this only allows assertions for
++## the shadow passwords file (/etc/shadow) to
++## be passed. No access is granted yet.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
-interface(`auth_relabel_login_records',`
-- gen_require(`
++interface(`auth_reader_shadow',`
+ gen_require(`
- type wtmp_t;
-- ')
--
++ attribute can_read_shadow_passwords;
+ ')
+
- allow $1 wtmp_t:file relabel_file_perms;
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++ typeattribute $1 can_read_shadow_passwords;
++')
++
++########################################
++##
++## Write access to the authlogin module.
++##
++##
++##
++## Write access to the authlogin module.
++##
++##
++## Currently, this only allows assertions for
++## the shadow passwords file (/etc/shadow) to
++## be passed. No access is granted yet.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_writer_shadow',`
++ gen_require(`
++ attribute can_write_shadow_passwords;
++ ')
++
++ typeattribute $1 can_write_shadow_passwords;
')
########################################
-@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -29694,7 +30556,7 @@ index 3efd5b6..9e85ea0 100644
')
########################################
-@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b1f2938..a121c91 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..158acba 100644
+index 058d908..7da78c7 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -111,7 +111,33 @@ index 058d908..158acba 100644
######################################
##
-@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+@@ -21,6 +43,25 @@ interface(`abrt_domtrans',`
+
+ ######################################
+ ##
++## Execute abrt_dump_oops in the abrt_dump_oops_t domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_dump_oops_domtrans',`
++ gen_require(`
++ type abrt_dump_oops_t, abrt_dump_oops_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++')
++
++######################################
++##
+ ## Execute abrt in the caller domain.
+ ##
+ ##
+@@ -40,7 +81,7 @@ interface(`abrt_exec',`
########################################
##
@@ -120,7 +146,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+@@ -58,7 +99,7 @@ interface(`abrt_signull',`
########################################
##
@@ -129,7 +155,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+@@ -71,12 +112,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -144,7 +170,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+@@ -116,8 +158,7 @@ interface(`abrt_dbus_chat',`
#####################################
##
@@ -154,7 +180,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+@@ -130,15 +171,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
@@ -172,7 +198,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
+@@ -163,8 +202,45 @@ interface(`abrt_run_helper',`
########################################
##
@@ -198,53 +224,53 @@ index 058d908..158acba 100644
+########################################
+##
+## Append abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Read/Write inherited abrt cache
##
##
##
-@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+@@ -172,15 +248,18 @@ interface(`abrt_run_helper',`
##
##
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## abrt cache content.
-+## Read/Write inherited abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_rw_inherited_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
+## Manage abrt cache
##
##
##
-@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+@@ -193,7 +272,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
@@ -252,7 +278,7 @@ index 058d908..158acba 100644
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+@@ -201,7 +279,7 @@ interface(`abrt_manage_cache',`
####################################
##
@@ -261,7 +287,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -218,9 +277,29 @@ interface(`abrt_read_config',`
+@@ -218,9 +296,29 @@ interface(`abrt_read_config',`
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
@@ -292,7 +318,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +356,7 @@ interface(`abrt_read_pid_files',`
######################################
##
@@ -302,7 +328,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +373,52 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -357,7 +383,7 @@ index 058d908..158acba 100644
##
##
##
-@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +427,174 @@ interface(`abrt_manage_pid_files',`
##
##
##
@@ -546,7 +572,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..d6d0e34 100644
+index eb50f07..f93be3c 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -989,7 +1015,7 @@ index eb50f07..d6d0e34 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +456,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1011,7 +1037,7 @@ index eb50f07..d6d0e34 100644
#
-allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override };
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1034,13 +1060,17 @@ index eb50f07..d6d0e34 100644
+kernel_read_debugfs(abrt_dump_oops_t)
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-
++kernel_read_security_state(abrt_dump_oops_t)
++
+auth_read_passwd(abrt_dump_oops_t)
+
+dev_read_urand(abrt_dump_oops_t)
+dev_read_rand(abrt_dump_oops_t)
-+
+
domain_use_interactive_fds(abrt_dump_oops_t)
++domain_signull_all_domains(abrt_dump_oops_t)
++domain_ptrace_all_domains(abrt_dump_oops_t)
++domain_read_all_domains_state(abrt_dump_oops_t)
+fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
@@ -1054,7 +1084,7 @@ index eb50f07..d6d0e34 100644
#######################################
#
-@@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1117,7 +1147,7 @@ index eb50f07..d6d0e34 100644
')
#######################################
-@@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -3364,10 +3394,10 @@ index 0000000..6183b21
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 7caefc3..3ef1de6 100644
+index 7caefc3..239cefa 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,162 +1,207 @@
+@@ -1,162 +1,211 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3407,6 +3437,7 @@ index 7caefc3..3ef1de6 100644
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
@@ -3586,6 +3617,7 @@ index 7caefc3..3ef1de6 100644
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+
@@ -3626,6 +3658,7 @@ index 7caefc3..3ef1de6 100644
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3663,6 +3696,7 @@ index 7caefc3..3ef1de6 100644
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -9692,6 +9726,195 @@ index f5c1a48..f7b4f1d 100644
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
+
+diff --git a/blkmapd.fc b/blkmapd.fc
+new file mode 100644
+index 0000000..5e59fb4
+--- /dev/null
++++ b/blkmapd.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/blkmapd -- gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
++
++/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
++
++/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0)
+diff --git a/blkmapd.if b/blkmapd.if
+new file mode 100644
+index 0000000..7666379
+--- /dev/null
++++ b/blkmapd.if
+@@ -0,0 +1,121 @@
++
++## The blkmapd daemon performs device discovery and mapping for pNFS block layout client.
++
++########################################
++##
++## Execute blkmapd_exec_t in the blkmapd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`blkmapd_domtrans',`
++ gen_require(`
++ type blkmapd_t, blkmapd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
++')
++
++######################################
++##
++## Execute blkmapd in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`blkmapd_exec',`
++ gen_require(`
++ type blkmapd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, blkmapd_exec_t)
++')
++
++########################################
++##
++## Execute blkmapd server in the blkmapd domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`blkmapd_initrc_domtrans',`
++ gen_require(`
++ type blkmapd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
++')
++########################################
++##
++## Read blkmapd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`blkmapd_read_pid_files',`
++ gen_require(`
++ type blkmapd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an blkmapd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`blkmapd_admin',`
++ gen_require(`
++ type blkmapd_t;
++ type blkmapd_initrc_exec_t;
++ type blkmapd_var_run_t;
++ ')
++
++ allow $1 blkmapd_t:process { signal_perms };
++ ps_process_pattern($1, blkmapd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 blkmapd_t:process ptrace;
++ ')
++
++ blkmapd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 blkmapd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, blkmapd_var_run_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/blkmapd.te b/blkmapd.te
+new file mode 100644
+index 0000000..6cfb355
+--- /dev/null
++++ b/blkmapd.te
+@@ -0,0 +1,44 @@
++policy_module(blkmapd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type blkmapd_t;
++type blkmapd_exec_t;
++init_daemon_domain(blkmapd_t, blkmapd_exec_t)
++
++type blkmapd_initrc_exec_t;
++init_script_file(blkmapd_initrc_exec_t)
++
++type blkmapd_var_run_t;
++files_pid_file(blkmapd_var_run_t)
++
++
++########################################
++#
++# blkmapd local policy
++#
++
++allow blkmapd_t self:capability sys_rawio;
++
++manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
++files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
++
++kernel_read_system_state(blkmapd_t)
++
++dev_list_sysfs(blkmapd_t)
++
++fs_list_rpc(blkmapd_t)
++fs_rw_rpc_named_pipes(blkmapd_t)
++
++storage_raw_read_fixed_disk(blkmapd_t)
++storage_raw_read_removable_device(blkmapd_t)
++
++
++logging_send_syslog_msg(blkmapd_t)
++
++optional_policy(`
++ rpc_read_nfs_state_data(blkmapd_t)
++')
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
@@ -35956,10 +36179,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..2e4b08a 100644
+index 4eb7041..3ba4a51 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
-@@ -5,24 +5,135 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@@ -35997,7 +36220,7 @@ index 4eb7041..2e4b08a 100644
#
-# Local policy
+# hyperv domain local policy
-+#
+ #
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -36011,12 +36234,13 @@ index 4eb7041..2e4b08a 100644
+dev_read_sysfs(hyperv_domain)
+
+########################################
- #
++#
+# hypervkvp local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
+
@@ -36032,6 +36256,8 @@ index 4eb7041..2e4b08a 100644
+kernel_read_network_state(hypervkvp_t)
+kernel_rw_net_sysctls(hypervkvp_t)
+
++corecmd_getattr_all_executables(hypervkvp_t)
++
+domain_read_all_domains_state(hypervkvp_t)
+
+seutil_exec_setfiles(hypervkvp_t)
@@ -36074,6 +36300,7 @@ index 4eb7041..2e4b08a 100644
+
+optional_policy(`
+ dbus_read_pid_files(hypervkvp_t)
++ dbus_system_bus_client(hypervkvp_t)
+')
+
+optional_policy(`
@@ -36976,10 +37203,10 @@ index 0000000..71bde7d
+
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 0000000..7d70dcb
+index 0000000..694c092
--- /dev/null
+++ b/ipa.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,122 @@
+policy_module(ipa, 1.0.0)
+
+########################################
@@ -37047,7 +37274,10 @@ index 0000000..7d70dcb
+#
+
+
-+allow ipa_helper_t self:capability { dac_override chown };
++allow ipa_helper_t self:capability { net_admin dac_override chown };
++
++#kernel bug
++dontaudit ipa_helper_t self:capability2 block_suspend;
+
+allow ipa_helper_t self:process setfscreate;
+allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
@@ -37065,6 +37295,8 @@ index 0000000..7d70dcb
+
+auth_use_nsswitch(ipa_helper_t)
+
++files_list_tmp(ipa_helper_t)
++
+ipa_manage_pid_files(ipa_helper_t)
+ipa_read_lib(ipa_helper_t)
+
@@ -37087,12 +37319,191 @@ index 0000000..7d70dcb
+')
+
+optional_policy(`
++ rpm_read_db(ipa_helper_t)
++')
++
++optional_policy(`
+ samba_read_config(ipa_helper_t)
+')
+
+optional_policy(`
+ sssd_manage_lib_files(ipa_helper_t)
+')
+diff --git a/ipmievd.fc b/ipmievd.fc
+new file mode 100644
+index 0000000..caf1fe5
+--- /dev/null
++++ b/ipmievd.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
++
++/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0)
++
++/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0)
+diff --git a/ipmievd.if b/ipmievd.if
+new file mode 100644
+index 0000000..e86db54
+--- /dev/null
++++ b/ipmievd.if
+@@ -0,0 +1,120 @@
++## IPMI event daemon for sending events to syslog.
++
++########################################
++##
++## Execute ipmievd_exec_t in the ipmievd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ipmievd_domtrans',`
++ gen_require(`
++ type ipmievd_t, ipmievd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
++')
++
++######################################
++##
++## Execute ipmievd in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipmievd_exec',`
++ gen_require(`
++ type ipmievd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ipmievd_exec_t)
++')
++
++########################################
++##
++## Read ipmievd PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipmievd_read_pid_files',`
++ gen_require(`
++ type ipmievd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
++')
++
++########################################
++##
++## Execute ipmievd server in the ipmievd domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ipmievd_systemctl',`
++ gen_require(`
++ type ipmievd_t;
++ type ipmievd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ipmievd_unit_file_t:file read_file_perms;
++ allow $1 ipmievd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ipmievd_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ipmievd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipmievd_admin',`
++ gen_require(`
++ type ipmievd_t;
++ type ipmievd_var_run_t;
++ type ipmievd_unit_file_t;
++ ')
++
++ allow $1 ipmievd_t:process { signal_perms };
++ ps_process_pattern($1, ipmievd_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ipmievd_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, ipmievd_var_run_t)
++
++ ipmievd_systemctl($1)
++ admin_pattern($1, ipmievd_unit_file_t)
++ allow $1 ipmievd_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/ipmievd.te b/ipmievd.te
+new file mode 100644
+index 0000000..f8428ca
+--- /dev/null
++++ b/ipmievd.te
+@@ -0,0 +1,32 @@
++policy_module(ipmievd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ipmievd_t;
++type ipmievd_exec_t;
++init_daemon_domain(ipmievd_t, ipmievd_exec_t)
++
++type ipmievd_var_run_t;
++files_pid_file(ipmievd_var_run_t)
++
++type ipmievd_unit_file_t;
++systemd_unit_file(ipmievd_unit_file_t)
++
++########################################
++#
++# ipmievd local policy
++#
++
++allow ipmievd_t self:process { fork setpgid };
++allow ipmievd_t self:fifo_file rw_fifo_file_perms;
++
++manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
++files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
++
++dev_rw_ipmi_dev(ipmievd_t)
++
++logging_send_syslog_msg(ipmievd_t)
++
diff --git a/irc.fc b/irc.fc
index 48e7739..1bf0326 100644
--- a/irc.fc
@@ -37572,7 +37983,7 @@ index 1a35420..8101022 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020fa..d4ed777 100644
+index ca020fa..989eba9 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -37620,12 +38031,12 @@ index ca020fa..d4ed777 100644
can_exec(iscsid_t, iscsid_exec_t)
++kernel_load_module(iscsid_t)
+kernel_request_load_module(iscsid_t)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
-kernel_setsched(iscsid_t)
+kernel_dontaudit_setsched(iscsid_t)
-+kernel_request_load_module(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
@@ -47145,10 +47556,10 @@ index 0000000..86467cf
+')
diff --git a/mirrormanager.te b/mirrormanager.te
new file mode 100644
-index 0000000..841b732
+index 0000000..f59af1b
--- /dev/null
+++ b/mirrormanager.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,46 @@
+policy_module(mirrormanager, 1.0.0)
+
+########################################
@@ -47158,7 +47569,7 @@ index 0000000..841b732
+
+type mirrormanager_t;
+type mirrormanager_exec_t;
-+cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++application_domain(mirrormanager_t, mirrormanager_exec_t)
+
+type mirrormanager_log_t;
+logging_log_file(mirrormanager_log_t)
@@ -47192,6 +47603,9 @@ index 0000000..841b732
+manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
+files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
+
++optional_policy(`
++ cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++')
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -53015,7 +53429,7 @@ index b744fe3..cb0e2af 100644
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
-index b708708..dd6e04b 100644
+index b708708..f4c0e61 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -53122,7 +53536,7 @@ index b708708..dd6e04b 100644
')
optional_policy(`
-@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -53141,16 +53555,18 @@ index b708708..dd6e04b 100644
-
-files_read_etc_runtime_files(disk_munin_plugin_t)
+dev_read_all_blk_files(disk_munin_plugin_t)
++dev_raw_memory_reader(disk_munin_plugin_t)
fs_getattr_all_fs(disk_munin_plugin_t)
fs_getattr_all_dirs(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
++storage_read_scsi_generic(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
-@@ -272,6 +262,10 @@ optional_policy(`
+@@ -272,6 +264,10 @@ optional_policy(`
fstools_exec(disk_munin_plugin_t)
')
@@ -53161,7 +53577,7 @@ index b708708..dd6e04b 100644
####################################
#
# Mail local policy
-@@ -279,27 +273,39 @@ optional_policy(`
+@@ -279,27 +275,39 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -53205,7 +53621,7 @@ index b708708..dd6e04b 100644
')
optional_policy(`
-@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -53214,7 +53630,7 @@ index b708708..dd6e04b 100644
')
optional_policy(`
-@@ -348,6 +354,10 @@ optional_policy(`
+@@ -348,6 +356,10 @@ optional_policy(`
')
optional_policy(`
@@ -53225,7 +53641,7 @@ index b708708..dd6e04b 100644
lpd_exec_lpr(services_munin_plugin_t)
')
-@@ -361,7 +371,11 @@ optional_policy(`
+@@ -361,7 +373,11 @@ optional_policy(`
')
optional_policy(`
@@ -53238,7 +53654,7 @@ index b708708..dd6e04b 100644
')
optional_policy(`
-@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -53246,7 +53662,7 @@ index b708708..dd6e04b 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +436,33 @@ optional_policy(`
+@@ -421,3 +438,33 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -61436,10 +61852,19 @@ index 3b6920e..3e9b17f 100644
userdom_dontaudit_search_user_home_dirs(openct_t)
diff --git a/openhpi.te b/openhpi.te
-index 8de6191..af7f2a8 100644
+index 8de6191..1a01e99 100644
--- a/openhpi.te
+++ b/openhpi.te
-@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
+@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
+ manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+ files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
+
++kernel_read_system_state(openhpid_t)
++
+ corenet_all_recvfrom_unlabeled(openhpid_t)
+ corenet_all_recvfrom_netlabel(openhpid_t)
+ corenet_tcp_sendrecv_generic_if(openhpid_t)
+@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
dev_read_urand(openhpid_t)
@@ -63990,7 +64415,7 @@ index 9b15730..cb00f20 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..ac08330 100644
+index 44dbc99..eb8d420 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -9,11 +9,8 @@ type openvswitch_t;
@@ -64055,12 +64480,13 @@ index 44dbc99..ac08330 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -65,33 +68,45 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-can_exec(openvswitch_t, openvswitch_exec_t)
-
++kernel_load_module(openvswitch_t)
kernel_read_network_state(openvswitch_t)
kernel_read_system_state(openvswitch_t)
+kernel_request_load_module(openvswitch_t)
@@ -85125,7 +85551,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..e030327 100644
+index d32e1a2..2078892 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -85164,7 +85590,7 @@ index d32e1a2..e030327 100644
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-@@ -50,25 +56,78 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,83 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@@ -85211,8 +85637,12 @@ index d32e1a2..e030327 100644
sysnet_dns_name_resolve(rhsmcertd_t)
- optional_policy(`
-- rpm_read_db(rhsmcertd_t)
++ifdef(`hide_broken_symptoms',`
++ exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
++ exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++')
++
++optional_policy(`
+ dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t)
+')
+
@@ -85245,7 +85675,8 @@ index d32e1a2..e030327 100644
+ virt_signull(rhsmcertd_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+- rpm_read_db(rhsmcertd_t)
+ unconfined_signull(rhsmcertd_t)
')
diff --git a/ricci.if b/ricci.if
@@ -91902,10 +92333,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..1e7c447
+index 0000000..b21026b
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,92 @@
+
+## policy for sandbox
+
@@ -91983,8 +92414,20 @@ index 0000000..1e7c447
+
+ application_type($1_t)
+
++ # this is to satisfy the assertion:
++ dev_raw_memory_reader($1_t)
++ dev_raw_memory_writer($1_t)
++
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
++
++ # this is to satisfy the assertion:
++ storage_rw_inherited_fixed_disk_dev($1_t)
++ storage_rw_inherited_scsi_generic($1_t)
++
++ # this is to satisfy the assertion:
++ auth_reader_shadow($1_t)
++ auth_writer_shadow($1_t)
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
@@ -92066,7 +92509,7 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..03bdcef
+index 0000000..5b65b7c
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,395 @@
@@ -92157,7 +92600,7 @@ index 0000000..03bdcef
+ attribute sandbox_type;
+ ')
+
-+ type $1_t, sandbox_x_domain, sandbox_type;
++ type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
+ application_type($1_t)
+ mcs_constrained($1_t)
+
@@ -92467,10 +92910,10 @@ index 0000000..03bdcef
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..a3319b0
+index 0000000..7a8e744
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,501 @@
+@@ -0,0 +1,505 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -92764,6 +93207,10 @@ index 0000000..a3319b0
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
++#1103622
++corenet_tcp_connect_xserver_port(sandbox_x_t)
++xserver_stream_connect(sandbox_x_t)
++
+########################################
+#
+# sandbox_x_client_t local policy
@@ -108693,7 +109140,7 @@ index facdee8..a6dcaaa 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..36afdd2 100644
+index f03dcf5..d15b4d3 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -110193,7 +110640,7 @@ index f03dcf5..36afdd2 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,325 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -110484,6 +110931,7 @@ index f03dcf5..36afdd2 100644
+dontaudit svirt_lxc_net_t self:capability2 block_suspend ;
+allow svirt_lxc_net_t self:process { execstack execmem };
+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++kernel_load_module(svirt_lxc_net_t)
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow svirt_lxc_net_t self:capability sys_admin;
@@ -110660,7 +111108,7 @@ index f03dcf5..36afdd2 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1502,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -110675,7 +111123,7 @@ index f03dcf5..36afdd2 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1520,8 @@ optional_policy(`
+@@ -1192,9 +1521,8 @@ optional_policy(`
########################################
#
@@ -110686,7 +111134,7 @@ index f03dcf5..36afdd2 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1534,242 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1535,242 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -111205,7 +111653,7 @@ index 20a1fb2..470ea95 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 4ad1894..d72037f 100644
+index 4ad1894..840409e 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -111218,7 +111666,11 @@ index 4ad1894..d72037f 100644
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
-@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t)
+@@ -91,11 +92,12 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, file)
+
+ can_exec(vmware_host_t, vmware_host_exec_t)
+
++kernel_load_module(vmware_host_t)
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
kernel_read_network_state(vmware_host_t)
@@ -111228,7 +111680,7 @@ index 4ad1894..d72037f 100644
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t)
+@@ -115,14 +117,13 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
@@ -111244,7 +111696,7 @@ index 4ad1894..d72037f 100644
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,23 +139,27 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
@@ -111276,7 +111728,7 @@ index 4ad1894..d72037f 100644
optional_policy(`
samba_read_config(vmware_host_t)
-@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
+@@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t)
domain_use_interactive_fds(vmware_t)
@@ -111286,7 +111738,7 @@ index 4ad1894..d72037f 100644
files_list_home(vmware_t)
fs_getattr_all_fs(vmware_t)
-@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
+@@ -258,9 +261,8 @@ storage_raw_write_removable_device(vmware_t)
libs_exec_ld_so(vmware_t)
libs_read_lib_files(vmware_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5babb9..59f6779 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 142%{?dist}
+Release: 143%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,35 @@ exit 0
%endif
%changelog
+* Fri Aug 21 2015 Miroslav Grepl 3.13.1-143
+- Add ipmievd policy creaed by vmojzis@redhat.com
+- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
+- Allow NetworkManager to write audit log messages
+- Add new policy for ipmievd (ipmitool).
+- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
+- Allow sandbox domain to be also /dev/mem writer
+- Fix neverallow assertion for sys_module capability for openvswitch.
+- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
+- Fix neverallow assertion for sys_module capability.
+- Add more attributes for sandbox domains to avoid neverallow assertion issues.
+- Add neverallow asserition fixes related to storage.
+- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
+- Allow openhpid_t to read system state.
+- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
+- Added labels for files provided by rh-nginx18 collection
+- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
+- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
+- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
+- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
+- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
+- Add dev_raw_memory_writer() interface
+- Add auth_reader_shadow() and auth_writer_shadow() interfaces
+- Add dev_raw_memory_reader() interface.
+- Add storage_rw_inherited_scsi_generic() interface.
+- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
+- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
+- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
+
* Tue Aug 18 2015 Lukas Vrabec 3.13.1-142
- Allow samba_net_t to manage samba_var_t sock files.
- Allow httpd daemon to manage httpd_var_lib_t lnk_files.