diff --git a/.gitignore b/.gitignore
index 100fdfa..91580fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -230,3 +230,4 @@ serefpolicy*
/config.tgz
/serefpolicy-3.9.8.tgz
/serefpolicy-3.9.9.tgz
+/serefpolicy-3.9.10.tgz
diff --git a/policy-F15.patch b/policy-F15.patch
index 6f8d414..a0a3399 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -47,6 +47,36 @@ index 6760c95..34edd2a 100644
open
}
+diff --git a/policy/global_booleans b/policy/global_booleans
+index 111d004..9df7b5e 100644
+--- a/policy/global_booleans
++++ b/policy/global_booleans
+@@ -6,7 +6,7 @@
+
+ ##
+ ##
+-## Enabling secure mode disallows programs, such as
++## disallow programs, such as
+ ## newrole, from transitioning to administrative
+ ## user domains.
+ ##
+@@ -15,14 +15,14 @@ gen_bool(secure_mode,false)
+
+ ##
+ ##
+-## Disable transitions to insmod.
++## disallow programs and users from transitioning to insmod domain.
+ ##
+ ##
+ gen_bool(secure_mode_insmod,false)
+
+ ##
+ ##
+-## boolean to determine whether the system permits loading policy, setting
++## prevent all confined domains from loading policy, setting
+ ## enforcing mode, and changing boolean values. Set this to true and you
+ ## have to reboot to set it back
+ ##
diff --git a/policy/global_tunables b/policy/global_tunables
index 3316f6e..6e82b1e 100644
--- a/policy/global_tunables
@@ -4022,9 +4052,18 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..62796d8 100644
+index cbf4bec..7099120 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
+@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
+
+ ##
+ ##
+-## Control mozilla content access
++## allow confined web browsers to read home directory content
+ ##
+ ##
+ gen_tunable(mozilla_read_content, false)
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
@@ -5529,9 +5568,18 @@ index c1d5f50..989f88c 100644
+
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index a3225d4..9cd8b55 100644
+index a3225d4..bc10481 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
+@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
+
+ ##
+ ##
+-## Allow qemu to user serial/parallel communication ports
++## Allow qemu to use serial/parallel communication ports
+ ##
+ ##
+ gen_tunable(qemu_use_comm, false)
@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',`
')
@@ -5681,10 +5729,10 @@ index 0000000..15778fd
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..9783c8f
+index 0000000..402027a
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,339 @@
+@@ -0,0 +1,340 @@
+
+## policy for sandbox
+
@@ -5757,7 +5805,7 @@ index 0000000..9783c8f
+########################################
+##
+## Creates types and rules for a basic
-+## qemu process domain.
++## sandbox process domain.
+##
+##
+##
@@ -5770,10 +5818,10 @@ index 0000000..9783c8f
+ gen_require(`
+ attribute sandbox_domain;
+ attribute sandbox_file_type;
-+ attribute sandbox_x_type;
++ attribute sandbox_type;
+ ')
++ type $1_t, sandbox_domain, sandbox_type;
+
-+ type $1_t, sandbox_domain, sandbox_x_type;
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
@@ -5793,7 +5841,7 @@ index 0000000..9783c8f
+########################################
+##
+## Creates types and rules for a basic
-+## qemu process domain.
++## sandbox process domain.
+##
+##
+##
@@ -5807,9 +5855,10 @@ index 0000000..9783c8f
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type, sandbox_tmpfs_type;
++ attribute sandbox_type;
+ ')
+
-+ type $1_t, sandbox_x_domain;
++ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
@@ -6026,10 +6075,10 @@ index 0000000..9783c8f
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..aa1d56d
+index 0000000..6522c1b
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,430 @@
+@@ -0,0 +1,441 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6037,7 +6086,7 @@ index 0000000..aa1d56d
+attribute sandbox_file_type;
+attribute sandbox_web_type;
+attribute sandbox_tmpfs_type;
-+attribute sandbox_x_type;
++attribute sandbox_type;
+
+########################################
+#
@@ -6102,6 +6151,7 @@ index 0000000..aa1d56d
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
++fs_search_auto_mountpoints(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
@@ -6184,6 +6234,7 @@ index 0000000..aa1d56d
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
++dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -6272,18 +6323,27 @@ index 0000000..aa1d56d
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
++fs_search_auto_mountpoints(sandbox_x_domain)
++
+tunable_policy(`use_nfs_home_dirs',`
++ fs_search_auto_mountpoints(sandbox_x_domain)
++ fs_search_nfs(sandbox_xserver_t)
+ fs_read_nfs_files(sandbox_xserver_t)
++ fs_manage_nfs_dirs(sandbox_x_domain)
+ fs_manage_nfs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(sandbox_xserver_t)
+ fs_read_cifs_files(sandbox_xserver_t)
++ fs_manage_cifs_dirs(sandbox_x_domain)
+ fs_manage_cifs_files(sandbox_x_domain)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(sandbox_xserver_t)
+ fs_read_fusefs_files(sandbox_xserver_t)
++ fs_manage_fusefs_dirs(sandbox_x_domain)
+ fs_manage_fusefs_files(sandbox_x_domain)
+')
+
@@ -7544,11 +7604,43 @@ index 9e5c83e..953e0e8 100644
+
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
+index b06df19..5282ad5 100644
+--- a/policy/modules/kernel/corenetwork.if.in
++++ b/policy/modules/kernel/corenetwork.if.in
+@@ -2149,13 +2149,18 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+ ##
+ #
+ interface(`corenet_tcp_recvfrom_unlabeled',`
++ gen_require(`
++ attribute corenet_unlabeled_type;
++ ')
++
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
++ typeattribute $1 corenet_unlabeled_type;
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+- kernel_sendrecv_unlabeled_association($1)
++# kernel_sendrecv_unlabeled_association($1)
+ ')
+
+ ########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 36ba519..ba41f1f 100644
+index 36ba519..8b431af 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
+@@ -15,6 +15,7 @@ attribute rpc_port_type;
+ attribute server_packet_type;
+
+ attribute corenet_unconfined_type;
++attribute corenet_unlabeled_type;
+
+ type ppp_device_t;
+ dev_node(ppp_device_t)
+@@ -24,11 +25,14 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
@@ -7556,7 +7648,14 @@ index 36ba519..ba41f1f 100644
########################################
#
-@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+ # Ports and packets
+ #
++type intranet_packet_t;
++type internet_packet_t;
+
+ #
+ # client_packet_t is the default type of IPv4 and IPv6 client packets.
+@@ -64,20 +68,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -7582,7 +7681,7 @@ index 36ba519..ba41f1f 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0)
+@@ -85,6 +94,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -7590,7 +7689,7 @@ index 36ba519..ba41f1f 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0)
+@@ -97,7 +107,9 @@ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@@ -7600,7 +7699,7 @@ index 36ba519..ba41f1f 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -111,7 +120,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -111,7 +123,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -7609,7 +7708,7 @@ index 36ba519..ba41f1f 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,30 +134,34 @@ network_port(iscsi, tcp,3260,s0)
+@@ -125,30 +137,34 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -7648,7 +7747,7 @@ index 36ba519..ba41f1f 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -156,12 +169,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -156,12 +172,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7669,7 +7768,7 @@ index 36ba519..ba41f1f 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,24 +197,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -176,24 +200,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7702,7 +7801,7 @@ index 36ba519..ba41f1f 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -203,16 +228,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -203,16 +231,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7723,6 +7822,17 @@ index 36ba519..ba41f1f 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
+@@ -262,6 +291,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
+ typealias netif_t alias { lo_netif_t netif_lo_t };
+ ')
+
++optional_policy(`
++ unlabelednet_sendrecv_packets(corenet_unlabeled_type)
++')
++
+ ########################################
+ #
+ # Unconfined access to this module
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
@@ -7761,7 +7871,7 @@ index 3b2da10..7c29e17 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 99482ca..c381190 100644
+index 15a7bef..d5f08a4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
@@ -8007,7 +8117,7 @@ index 99482ca..c381190 100644
## Get the attributes of sysfs directories.
##
##
-@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3917,24 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -8032,7 +8142,7 @@ index 99482ca..c381190 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
##
##
-@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3942,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
########################################
##
@@ -8057,7 +8167,7 @@ index 99482ca..c381190 100644
## Mount a usbfs filesystem.
##
##
-@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',`
+@@ -4252,11 +4432,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -8072,7 +8182,7 @@ index 99482ca..c381190 100644
########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 7047f2f..ef76289 100644
+index ae138bb..95f6137 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
@@ -8443,7 +8553,7 @@ index 3517db2..4dd4bef 100644
+
+/usr/lib/debug <>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..2c77493 100644
+index ed203b2..bfb7926 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8545,7 +8655,7 @@ index 5302dac..2c77493 100644
## List the contents of the root directory.
##
##
-@@ -1836,6 +1906,25 @@ interface(`files_relabelfrom_boot_files',`
+@@ -1854,6 +1924,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -8571,7 +8681,7 @@ index 5302dac..2c77493 100644
########################################
##
## Read and write symbolic links
-@@ -2435,6 +2524,24 @@ interface(`files_delete_etc_files',`
+@@ -2453,6 +2542,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -8596,7 +8706,7 @@ index 5302dac..2c77493 100644
## Execute generic files in /etc.
##
##
-@@ -2605,6 +2712,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2623,6 +2730,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -8621,7 +8731,7 @@ index 5302dac..2c77493 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3211,7 @@ interface(`files_getattr_home_dir',`
+@@ -3104,6 +3229,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -8629,7 +8739,7 @@ index 5302dac..2c77493 100644
')
########################################
-@@ -3106,6 +3232,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3250,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -8637,7 +8747,7 @@ index 5302dac..2c77493 100644
')
########################################
-@@ -3347,6 +3474,24 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3492,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8662,7 +8772,7 @@ index 5302dac..2c77493 100644
########################################
##
## Mount a filesystem on /mnt.
-@@ -3420,6 +3565,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3583,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8687,7 +8797,7 @@ index 5302dac..2c77493 100644
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3874,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3892,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8788,7 +8898,7 @@ index 5302dac..2c77493 100644
########################################
##
## Allow the specified type to associate
-@@ -3896,6 +4153,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4171,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -8821,7 +8931,7 @@ index 5302dac..2c77493 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -3950,6 +4233,84 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,6 +4251,84 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -8861,7 +8971,7 @@ index 5302dac..2c77493 100644
+
+########################################
+##
-+## Relabel all tmp files.
++## Relabel all tmp dirs.
+##
+##
+##
@@ -8870,19 +8980,19 @@ index 5302dac..2c77493 100644
+##
+##
+#
-+interface(`files_relabelto_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
-+ relabelto_dirs_pattern($1, tmpfile, tmpfile)
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+##
-+## Relabel all tmp dirs.
++## Relabel all tmp files.
+##
+##
+##
@@ -8891,14 +9001,14 @@ index 5302dac..2c77493 100644
+##
+##
+#
-+interface(`files_relabelto_all_tmp_dirs',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
-+ relabelto_dirs_pattern($1, tmpfile, tmpfile)
++ relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
@@ -8906,7 +9016,7 @@ index 5302dac..2c77493 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4109,6 +4470,13 @@ interface(`files_purge_tmp',`
+@@ -4127,6 +4488,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8920,7 +9030,7 @@ index 5302dac..2c77493 100644
')
########################################
-@@ -4718,7 +5086,7 @@ interface(`files_read_var_files',`
+@@ -4736,7 +5104,7 @@ interface(`files_read_var_files',`
########################################
##
@@ -8929,7 +9039,7 @@ index 5302dac..2c77493 100644
##
##
##
-@@ -4726,36 +5094,54 @@ interface(`files_read_var_files',`
+@@ -4744,36 +5112,54 @@ interface(`files_read_var_files',`
##
##
#
@@ -8992,7 +9102,7 @@ index 5302dac..2c77493 100644
##
##
##
-@@ -5053,6 +5439,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5457,24 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -9017,7 +9127,7 @@ index 5302dac..2c77493 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5138,12 +5542,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5560,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -9034,7 +9144,7 @@ index 5302dac..2c77493 100644
')
########################################
-@@ -5189,6 +5593,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5611,27 @@ interface(`files_delete_all_locks',`
########################################
##
@@ -9062,7 +9172,7 @@ index 5302dac..2c77493 100644
## Read all lock files.
##
##
-@@ -5317,6 +5742,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5760,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -9106,7 +9216,7 @@ index 5302dac..2c77493 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5986,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6004,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -9169,7 +9279,7 @@ index 5302dac..2c77493 100644
## Read all process ID files.
##
##
-@@ -5541,6 +6059,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6077,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9214,7 +9324,7 @@ index 5302dac..2c77493 100644
')
########################################
-@@ -5826,3 +6382,247 @@ interface(`files_unconfined',`
+@@ -5844,3 +6400,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9463,7 +9573,7 @@ index 5302dac..2c77493 100644
+ allow $1 file_type:kernel_service create_files_as;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 07352a5..12e9ecf 100644
+index ba9529a..cd45491 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
@@ -9519,7 +9629,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..725b363 100644
+index dfe361a..99984fd 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9908,7 +10018,7 @@ index 437a42a..725b363 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4187,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -9951,7 +10061,7 @@ index 437a42a..725b363 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4505,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -9960,7 +10070,7 @@ index 437a42a..725b363 100644
')
########################################
-@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +4917,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -9986,7 +10096,7 @@ index 437a42a..725b363 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 0dff98e..7f1a558 100644
+index 6d21b3d..255b47a 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -10064,33 +10174,13 @@ index 0dff98e..7f1a558 100644
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index ed7667a..10c14fe 100644
+index b4ad6d7..0937933 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
+@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
########################################
##
-+## Read/Write information from the debugging filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`kernel_rw_debugfs',`
-+ gen_require(`
-+ type debugfs_t;
-+ ')
-+
-+ rw_files_pattern($1, debugfs_t, debugfs_t)
-+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
-+ list_dirs_pattern($1, debugfs_t, debugfs_t)
-+')
-+
-+########################################
-+##
+## Manage information from the debugging filesystem.
+##
+##
@@ -10114,7 +10204,7 @@ index ed7667a..10c14fe 100644
## Mount a kernel VM filesystem.
##
##
-@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2014,7 +2034,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -10123,7 +10213,7 @@ index ed7667a..10c14fe 100644
')
########################################
-@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2417,6 +2437,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -10148,7 +10238,7 @@ index ed7667a..10c14fe 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -10173,7 +10263,7 @@ index ed7667a..10c14fe 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',`
+@@ -2897,3 +2953,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@@ -10198,10 +10288,19 @@ index ed7667a..10c14fe 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index e4f98ce..806026c 100644
+index 25a817f..c26b4c8 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+ type debugfs_t;
+ fs_type(debugfs_t)
++files_mountpoint(debugfs_t)
++
+ allow debugfs_t self:filesystem associate;
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+@@ -156,6 +158,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -10209,7 +10308,7 @@ index e4f98ce..806026c 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -10219,7 +10318,7 @@ index e4f98ce..806026c 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +270,29 @@ files_list_root(kernel_t)
+@@ -268,19 +272,29 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -10249,7 +10348,7 @@ index e4f98ce..806026c 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -357,6 +369,10 @@ optional_policy(`
+@@ -357,6 +371,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -10401,17 +10500,25 @@ index 3723150..bde6daa 100644
dev_add_entry_generic_dirs($1)
')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 3994e57..ee146ae 100644
+index 3994e57..43aa641 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',`
+@@ -18,6 +18,7 @@
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 492bf76..a177011 100644
+index 492bf76..525563a 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
@@ -10516,8 +10623,31 @@ index 492bf76..a177011 100644
')
########################################
+@@ -1468,3 +1473,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+ ')
++
++#####################################
++##
++## Read from and write to the virtio console.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_use_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 646bbcf..a5deade 100644
+index 646bbcf..49d77df 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -10528,6 +10658,57 @@ index 646bbcf..a5deade 100644
#
# devtty_t is the type of /dev/tty.
+@@ -56,3 +57,9 @@ dev_node(tty_device_t)
+ #
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
++
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
+diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
+new file mode 100644
+index 0000000..f310b9d
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.fc
+@@ -0,0 +1 @@
++# No unlabelednet file contexts.
+diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
+new file mode 100644
+index 0000000..ba2f0b8
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.if
+@@ -0,0 +1,19 @@
++## Policy for allowing confined domains to talk use unlabeled_t packets.
++
++########################################
++##
++## Allow specified type to send recv unlabeled packets
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unlabelednet_sendrecv_packets',`
++ gen_require(`
++ attribute unlabelednet_domain;
++ ')
++
++ kernel_sendrecv_unlabeled_association($1)
++')
+diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
+new file mode 100644
+index 0000000..dee5ba8
+--- /dev/null
++++ b/policy/modules/kernel/unlabelednet.te
+@@ -0,0 +1,3 @@
++policy_module(unlabelednet, 1.0)
++
++attribute unlabelednet_domain;
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index b0d5b27..a96f2e6 100644
--- a/policy/modules/roles/auditadm.te
@@ -11796,7 +11977,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..31bbe95
+index 0000000..7d5de28
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,489 @@
@@ -11810,14 +11991,14 @@ index 0000000..31bbe95
+
+##
+##
-+## Transition unconfined user to the nsplugin domains when running nspluginviewer
++## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
+##
+##
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+##
+##
-+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+##
+##
+gen_tunable(unconfined_mozilla_plugin_transition, false)
@@ -12362,18 +12543,26 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..b8b5c15 100644
+index e88b95f..8929065 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
-@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
+@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
##
##
-## Allow xguest to configure Network Manager
-+## Allow xguest to configure Network Manager and connect to apache ports
++## Allow xguest users to configure Network Manager and connect to apache ports
##
##
gen_tunable(xguest_connect_network, true)
+
+ ##
+ ##
+-## Allow xguest to use blue tooth devices
++## Allow xguest users to use blue tooth devices
+ ##
+ ##
+ gen_tunable(xguest_use_bluetooth, true)
@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
@@ -13989,7 +14178,7 @@ index c9e1a44..1a1ba36 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..84e9bea 100644
+index 08dfa0c..ee604fe 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -14341,7 +14530,15 @@ index 08dfa0c..84e9bea 100644
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +490,10 @@ files_read_etc_files(httpd_t)
+@@ -391,6 +479,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+ files_read_usr_files(httpd_t)
+ files_list_mnt(httpd_t)
+ files_search_spool(httpd_t)
++files_read_var_symlinks(httpd_t)
+ files_read_var_lib_files(httpd_t)
+ files_search_home(httpd_t)
+ files_getattr_home_dir(httpd_t)
+@@ -402,6 +491,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -14352,7 +14549,7 @@ index 08dfa0c..84e9bea 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +508,71 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +509,71 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -14426,7 +14623,7 @@ index 08dfa0c..84e9bea 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +585,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +586,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -14437,7 +14634,7 @@ index 08dfa0c..84e9bea 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +599,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +600,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -14452,7 +14649,7 @@ index 08dfa0c..84e9bea 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +612,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +613,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -14465,7 +14662,7 @@ index 08dfa0c..84e9bea 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +627,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +628,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -14482,7 +14679,7 @@ index 08dfa0c..84e9bea 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +652,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +653,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -14493,7 +14690,7 @@ index 08dfa0c..84e9bea 100644
')
optional_policy(`
-@@ -513,7 +667,13 @@ optional_policy(`
+@@ -513,7 +668,13 @@ optional_policy(`
')
optional_policy(`
@@ -14508,7 +14705,7 @@ index 08dfa0c..84e9bea 100644
')
optional_policy(`
-@@ -528,7 +688,18 @@ optional_policy(`
+@@ -528,7 +689,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -14528,7 +14725,7 @@ index 08dfa0c..84e9bea 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +708,12 @@ optional_policy(`
+@@ -537,8 +709,12 @@ optional_policy(`
')
optional_policy(`
@@ -14542,7 +14739,7 @@ index 08dfa0c..84e9bea 100644
')
')
-@@ -556,7 +731,13 @@ optional_policy(`
+@@ -556,7 +732,13 @@ optional_policy(`
')
optional_policy(`
@@ -14556,7 +14753,7 @@ index 08dfa0c..84e9bea 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +748,7 @@ optional_policy(`
+@@ -567,6 +749,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -14564,7 +14761,7 @@ index 08dfa0c..84e9bea 100644
')
optional_policy(`
-@@ -577,6 +759,16 @@ optional_policy(`
+@@ -577,6 +760,16 @@ optional_policy(`
')
optional_policy(`
@@ -14581,7 +14778,7 @@ index 08dfa0c..84e9bea 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +783,11 @@ optional_policy(`
+@@ -591,6 +784,11 @@ optional_policy(`
')
optional_policy(`
@@ -14593,7 +14790,7 @@ index 08dfa0c..84e9bea 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +800,11 @@ optional_policy(`
+@@ -603,6 +801,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -14605,7 +14802,7 @@ index 08dfa0c..84e9bea 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +821,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -14616,7 +14813,7 @@ index 08dfa0c..84e9bea 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +861,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14657,7 +14854,7 @@ index 08dfa0c..84e9bea 100644
')
########################################
-@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +905,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14683,7 +14880,7 @@ index 08dfa0c..84e9bea 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +951,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14705,7 +14902,7 @@ index 08dfa0c..84e9bea 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +989,25 @@ optional_policy(`
+@@ -769,6 +990,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14731,7 +14928,11 @@ index 08dfa0c..84e9bea 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -789,12 +1029,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+
+ kernel_read_kernel_sysctls(httpd_sys_script_t)
+
++files_read_var_symlinks(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14745,7 +14946,7 @@ index 08dfa0c..84e9bea 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1048,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -14779,7 +14980,7 @@ index 08dfa0c..84e9bea 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1094,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14788,7 +14989,7 @@ index 08dfa0c..84e9bea 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1102,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14809,7 +15010,7 @@ index 08dfa0c..84e9bea 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1126,20 @@ optional_policy(`
+@@ -842,10 +1128,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14830,7 +15031,7 @@ index 08dfa0c..84e9bea 100644
')
########################################
-@@ -891,11 +1185,21 @@ optional_policy(`
+@@ -891,11 +1187,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15045,6 +15246,21 @@ index 61c74bc..c6b0498 100644
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
+index fd64068..2da00a1 100644
+--- a/policy/modules/services/avahi.te
++++ b/policy/modules/services/avahi.te
+@@ -104,6 +104,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpcbind_signull(avahi_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+ ')
+
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d..7e9d2fb 100644
--- a/policy/modules/services/bind.if
@@ -16290,6 +16506,16 @@ index 1a65b5e..1bc0bc7 100644
pcscd_stream_connect(certmonger_t)
')
+
+diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
+index 420c9d3..b6bb46c 100644
+--- a/policy/modules/services/cgroup.fc
++++ b/policy/modules/services/cgroup.fc
+@@ -11,4 +11,5 @@
+ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+ /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
++/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
+ /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index d020c93..e5cbcef 100644
--- a/policy/modules/services/cgroup.if
@@ -16344,10 +16570,19 @@ index d020c93..e5cbcef 100644
cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..8750492 100644
+index 8ca2333..0a1097b 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
-@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t)
+@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
+ type cgred_initrc_exec_t;
+ init_script_file(cgred_initrc_exec_t)
+
++type cgred_log_t;
++logging_log_file(cgred_log_t)
++
+ type cgred_var_run_t;
+ files_pid_file(cgred_var_run_t)
+
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -16358,7 +16593,7 @@ index 8ca2333..8750492 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t)
+@@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig personal policy.
#
@@ -16367,6 +16602,16 @@ index 8ca2333..8750492 100644
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -79,6 +82,9 @@ allow cgred_t self:unix_dgram_socket { write create connect };
+
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
++manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
++logging_log_filetrans(cgred_t, cgred_log_t, file)
++
+ # rc script creates pid file
+ manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+ manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 9a0da94..2ede737 100644
--- a/policy/modules/services/chronyd.if
@@ -18723,7 +18968,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..27a2b36 100644
+index 0d5711c..72fe7a8 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -18826,7 +19071,7 @@ index 0d5711c..27a2b36 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,14 +441,27 @@ interface(`dbus_system_domain',`
+@@ -431,14 +441,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -18836,7 +19081,8 @@ index 0d5711c..27a2b36 100644
dbus_connect_system_bus($1)
+ init_stream_connect($1)
-+
++ init_dgram_send($1)
++
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
@@ -18855,7 +19101,7 @@ index 0d5711c..27a2b36 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +520,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -20875,7 +21121,7 @@ index 69dcd2a..a9a9116 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..ce4f73b 100644
+index 8a74a83..b2ca277 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -20898,7 +21144,7 @@ index 8a74a83..ce4f73b 100644
+##
+##
-+## Allow interlnal-sftp to read and write files
++## Allow internal-sftp to read and write files
+## in the user ssh home directories.
+##
+##
@@ -25023,7 +25269,7 @@ index fd71d69..bad9920 100644
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
-index c358d8f..92c9dca 100644
+index c358d8f..fec6a97 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
@@ -25055,7 +25301,7 @@ index c358d8f..92c9dca 100644
- corecmd_exec_bin($1_munin_plugin_t)
-
- miscfiles_read_localization($1_munin_plugin_t)
-+ allow munin_t $1_munin_plugin_t:process signal;
++ allow munin_t $1_munin_plugin_t:process signal_perms;
')
########################################
@@ -25111,7 +25357,7 @@ index c358d8f..92c9dca 100644
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..0dc6344 100644
+index f17583b..bdeea89 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -25138,7 +25384,7 @@ index f17583b..0dc6344 100644
#
-allow munin_t self:capability { chown dac_override setgid setuid };
-+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
++allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -25507,7 +25753,7 @@ index 8581040..f54b3b8 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..5416fde 100644
+index da5b33d..433417a 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -25578,7 +25824,15 @@ index da5b33d..5416fde 100644
')
######################################
-@@ -323,7 +323,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -310,6 +310,7 @@ optional_policy(`
+ # needed by ioctl()
+ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
++files_getattr_all_dirs(nagios_checkdisk_plugin_t)
+ files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+ fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+@@ -323,7 +324,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -25586,7 +25840,7 @@ index da5b33d..5416fde 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +339,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +340,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -28028,7 +28282,7 @@ index 333a1fe..d1cf513 100644
type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
-index c69d047..1d9fa76 100644
+index 4313a6f..4995571 100644
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
@@ -1,3 +1,6 @@
@@ -28037,123 +28291,7 @@ index c69d047..1d9fa76 100644
+
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
- /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
-index 10300a0..7385056 100644
---- a/policy/modules/services/portreserve.if
-+++ b/policy/modules/services/portreserve.if
-@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',`
- domtrans_pattern($1, portreserve_exec_t, portreserve_t)
- ')
-
-+########################################
-+##
-+## Execute portreserve in the portreserve domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`portreserve_initrc_domtrans',`
-+ gen_require(`
-+ type portreserve_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
-+')
-+
- #######################################
- ##
- ## Allow the specified domain to read
-@@ -29,7 +47,6 @@ interface(`portreserve_domtrans',`
- ##
- ##
- ##
--##
- #
- interface(`portreserve_read_config',`
- gen_require(`
-@@ -52,7 +69,6 @@ interface(`portreserve_read_config',`
- ## Domain allowed access.
- ##
- ##
--##
- #
- interface(`portreserve_manage_config',`
- gen_require(`
-@@ -64,3 +80,41 @@ interface(`portreserve_manage_config',`
- manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
- read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
- ')
-+
-+########################################
-+##
-+## All of the rules required to administrate
-+## an portreserve environment.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
-+#
-+interface(`portreserve_admin',`
-+ gen_require(`
-+ type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
-+ type portreserve_initrc_exec_t;
-+ ')
-+
-+ allow $1 portreserve_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, portreserve_t)
-+
-+ portreserve_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 portreserve_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, portreserve_etc_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, portreserve_var_run_t)
-+')
-diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
-index 4f2dae1..e091aba 100644
---- a/policy/modules/services/portreserve.te
-+++ b/policy/modules/services/portreserve.te
-@@ -9,6 +9,9 @@ type portreserve_t;
- type portreserve_exec_t;
- init_daemon_domain(portreserve_t, portreserve_exec_t)
-
-+type portreserve_initrc_exec_t;
-+init_script_file(portreserve_initrc_exec_t)
-+
- type portreserve_etc_t;
- files_type(portreserve_etc_t)
-
-@@ -35,7 +38,7 @@ read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
- manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
- manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
- manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
--files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
-+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
-
- corecmd_getattr_bin_files(portreserve_t)
-
-@@ -47,3 +50,5 @@ corenet_tcp_bind_all_ports(portreserve_t)
- corenet_udp_bind_all_ports(portreserve_t)
-
- files_read_etc_files(portreserve_t)
-+
-+userdom_dontaudit_search_user_home_content(portreserve_t)
+ /etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index 55e62d2..c114a40 100644
--- a/policy/modules/services/postfix.fc
@@ -29285,30 +29423,11 @@ index 7e84587..7a7310d 100644
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
-diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
-index 1da26dc..7221526 100644
---- a/policy/modules/services/privoxy.if
-+++ b/policy/modules/services/privoxy.if
-@@ -19,12 +19,11 @@
- #
- interface(`privoxy_admin',`
- gen_require(`
-- type privoxy_t, privoxy_log_t;
-+ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
- type privoxy_etc_rw_t, privoxy_var_run_t;
-- type privoxy_initrc_exec_t;
- ')
-
-- allow $1 privoxy_t:process { ptrace signal_perms getattr };
-+ allow $1 privoxy_t:process { ptrace signal_perms };
- ps_process_pattern($1, privoxy_t)
-
- init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 0d295a8..2404ddc 100644
+index 6f1b2c3..3f1a3fe 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
-@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0)
+@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.1)
#
##
@@ -29323,19 +29442,6 @@ index 0d295a8..2404ddc 100644
##
gen_tunable(privoxy_connect_any, false)
-@@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t)
- corenet_tcp_bind_http_cache_port(privoxy_t)
- corenet_tcp_connect_http_port(privoxy_t)
- corenet_tcp_connect_http_cache_port(privoxy_t)
-+corenet_tcp_connect_squid_port(privoxy_t)
- corenet_tcp_connect_ftp_port(privoxy_t)
- corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
- corenet_tcp_connect_tor_port(privoxy_t)
- corenet_sendrecv_http_cache_client_packets(privoxy_t)
-+corenet_sendrecv_squid_client_packets(privoxy_t)
- corenet_sendrecv_http_cache_server_packets(privoxy_t)
- corenet_sendrecv_http_client_packets(privoxy_t)
- corenet_sendrecv_ftp_client_packets(privoxy_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..4b36a13 100644
--- a/policy/modules/services/procmail.fc
@@ -30367,51 +30473,6 @@ index 0000000..d9c56d4
+ corosync_stream_connect(qpidd_t)
+')
+
-diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
-index 9a78598..8f132e7 100644
---- a/policy/modules/services/radius.if
-+++ b/policy/modules/services/radius.if
-@@ -38,7 +38,7 @@ interface(`radius_admin',`
- type radiusd_initrc_exec_t;
- ')
-
-- allow $1 radiusd_t:process { ptrace signal_perms getattr };
-+ allow $1 radiusd_t:process { ptrace signal_perms };
- ps_process_pattern($1, radiusd_t)
-
- init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
-diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
-index db6296a..b3f1fd3 100644
---- a/policy/modules/services/radius.te
-+++ b/policy/modules/services/radius.te
-@@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t)
- # gzip also needs chown access to preserve GID for radwtmp files
- allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
- dontaudit radiusd_t self:capability sys_tty_config;
--allow radiusd_t self:process { getsched setsched sigkill signal };
-+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
- allow radiusd_t self:fifo_file rw_fifo_file_perms;
- allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
- allow radiusd_t self:tcp_socket create_stream_socket_perms;
-@@ -59,8 +59,9 @@ logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir })
- manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
-
- manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
-+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
- manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
--files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file })
-+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(radiusd_t)
- kernel_read_system_state(radiusd_t)
-@@ -129,6 +130,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ samba_domtrans_winbind_helper(radiusd_t)
- samba_read_var_files(radiusd_t)
- ')
-
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index be05bff..2bd662a 100644
--- a/policy/modules/services/radvd.if
@@ -31989,7 +32050,7 @@ index f5c47d6..5a965e9 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..0458ba7 100644
+index a96249c..3942dfc 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
@@ -32014,7 +32075,32 @@ index a96249c..0458ba7 100644
')
########################################
-@@ -141,8 +140,14 @@ interface(`rpcbind_admin',`
+@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',`
+
+ ########################################
+ ##
++## Send a null signal to rpcbind.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_signull',`
++ gen_require(`
++ type rpcbind_t;
++ ')
++
++ allow $1 rpcbind_t:process signull;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an rpcbind environment
+ ##
+@@ -141,8 +158,14 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
@@ -33191,50 +33277,19 @@ index 4804f14..6f49778 100644
term_dontaudit_search_ptys(fsdaemon_t)
-diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
-index 824d206..8265278 100644
---- a/policy/modules/services/smokeping.if
-+++ b/policy/modules/services/smokeping.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run smokeping.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`smokeping_domtrans',`
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
-index 4ca5449..247beaf 100644
+index 688fbd0..5873bce 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
-@@ -23,6 +23,7 @@ files_type(smokeping_var_lib_t)
+@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
# smokeping local policy
#
+-dontaudit smokeping_t self:capability { dac_read_search dac_override };
+dontaudit smokeping_t self:capability { dac_read_search dac_override };
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
-@@ -44,6 +45,7 @@ files_read_usr_files(smokeping_t)
- files_search_tmp(smokeping_t)
-
- auth_use_nsswitch(smokeping_t)
-+auth_dontaudit_read_shadow(smokeping_t)
-
- logging_send_syslog_msg(smokeping_t)
-
-@@ -63,6 +65,7 @@ optional_policy(`
-
- allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
-
-+ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
-
- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
index 623c8fa..ac10740 100644
--- a/policy/modules/services/snmp.fc
@@ -35447,62 +35502,8 @@ index 831b4a3..a206464 100644
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
-diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
-index b078bf7..fd72fe8 100644
---- a/policy/modules/services/ulogd.if
-+++ b/policy/modules/services/ulogd.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run ulogd.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`ulogd_domtrans',`
-@@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
- ## Allow the specified domain to search ulogd's log files.
- ##
- ##
--##
-+##
- ## Domain allowed access.
--##
-+##
- ##
- #
- interface(`ulogd_search_log',`
-@@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
- #
- interface(`ulogd_admin',`
- gen_require(`
-- type ulogd_t, ulogd_etc_t;
-+ type ulogd_t, ulogd_etc_t, ulogd_modules_t;
- type ulogd_var_log_t, ulogd_initrc_exec_t;
-- type ulogd_modules_t;
- ')
-
- allow $1 ulogd_t:process { ptrace signal_perms };
-@@ -132,12 +131,12 @@ interface(`ulogd_admin',`
- role_transition $2 ulogd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, ulogd_etc_t)
-
- logging_list_logs($1)
- admin_pattern($1, ulogd_var_log_t)
-
-- files_search_usr($1)
-+ files_list_usr($1)
- admin_pattern($1, ulogd_modules_t)
- ')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
-index eeaa641..6456c06 100644
+index 00aa99e..eab7ef5 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
@@ -35520,27 +35521,6 @@ index eeaa641..6456c06 100644
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -43,6 +48,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
- manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
- logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
-
--files_search_etc(ulogd_t)
-+files_read_etc_files(ulogd_t)
-+files_read_usr_files(ulogd_t)
-
- miscfiles_read_localization(ulogd_t)
-+
-+sysnet_dns_name_resolve(ulogd_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(ulogd_t)
-+ mysql_tcp_connect(ulogd_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(ulogd_t)
-+ postgresql_tcp_connect(ulogd_t)
-+')
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index c2cf97e..037a1e8 100644
--- a/policy/modules/services/uptime.te
@@ -35554,212 +35534,24 @@ index c2cf97e..037a1e8 100644
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
-diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc
-index fa54aee..40b8b8d 100644
---- a/policy/modules/services/usbmuxd.fc
-+++ b/policy/modules/services/usbmuxd.fc
-@@ -1,3 +1,3 @@
- /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
-
--/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if
-index 5015043..53792d3 100644
---- a/policy/modules/services/usbmuxd.if
-+++ b/policy/modules/services/usbmuxd.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run usbmuxd.
- ##
- ##
--##
-+##
- ## Domain allowed to transition.
--##
-+##
- ##
- #
- interface(`usbmuxd_domtrans',`
-diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
-index a4fbe31..a717e2d 100644
---- a/policy/modules/services/uucp.if
-+++ b/policy/modules/services/uucp.if
-@@ -2,6 +2,25 @@
-
- ########################################
- ##
-+## Execute the uucico program in the
-+## uucpd_t domain.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`uucp_domtrans',`
-+ gen_require(`
-+ type uucpd_t, uucpd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
-+')
-+
-+########################################
-+##
- ## Allow the specified domain to append
- ## to uucp log files.
- ##
-@@ -80,7 +99,7 @@ interface(`uucp_admin',`
- type uucpd_var_run_t;
- ')
-
-- allow $1 uucpd_t:process { ptrace signal_perms getattr };
-+ allow $1 uucpd_t:process { ptrace signal_perms };
- ps_process_pattern($1, uucpd_t)
-
- logging_list_logs($1)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index b775aaf..7718dbb 100644
+index 9001230..7ff3ef8 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
-@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
- type uucpd_t;
- type uucpd_exec_t;
- inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
--role system_r types uucpd_t;
-
- type uucpd_lock_t;
- files_lock_file(uucpd_lock_t)
-@@ -83,6 +82,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t)
- corenet_udp_sendrecv_generic_node(uucpd_t)
- corenet_tcp_sendrecv_all_ports(uucpd_t)
- corenet_udp_sendrecv_all_ports(uucpd_t)
-+corenet_tcp_connect_ssh_port(uucpd_t)
-
- dev_read_urand(uucpd_t)
-
-@@ -113,13 +113,19 @@ optional_policy(`
- kerberos_use(uucpd_t)
- ')
-
-+optional_policy(`
-+ ssh_exec(uucpd_t)
-+')
-+
- ########################################
- #
- # UUX Local policy
- #
-
+@@ -125,6 +125,8 @@ optional_policy(`
allow uux_t self:capability { setuid setgid };
--allow uux_t self:fifo_file write_file_perms;
-+allow uux_t self:fifo_file write_fifo_file_perms;
-+
-+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
+ allow uux_t self:fifo_file write_fifo_file_perms;
++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
++
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
-index b4d90ac..fe5ce10 100644
---- a/policy/modules/services/varnishd.if
-+++ b/policy/modules/services/varnishd.if
-@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
-
- #######################################
- ##
--## Execute varnishd
-+## Execute varnishd
- ##
- ##
- ##
-@@ -56,6 +56,25 @@ interface(`varnishd_read_config',`
- read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
- ')
-
-+#####################################
-+##
-+## Read varnish lib files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`varnishd_read_lib_files',`
-+ gen_require(`
-+ type varnishd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
-+')
-+
- #######################################
- ##
- ## Read varnish logs.
-@@ -132,9 +151,8 @@ interface(`varnishd_manage_log',`
- #
- interface(`varnishd_admin_varnishlog',`
- gen_require(`
-- type varnishlog_t;
-- type varnishlog_var_run_t, varnishlog_log_t;
-- type varnishlog_initrc_exec_t;
-+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
-+ type varnishlog_var_run_t;
- ')
-
- allow $1 varnishlog_t:process { ptrace signal_perms };
-@@ -145,12 +163,11 @@ interface(`varnishd_admin_varnishlog',`
- role_transition $2 varnishlog_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_pids($1)
-- admin_pattern($1, varnishlog_var_run_t)
-+ files_list_pids($1)
-+ admin_pattern($1, varnishlog_var_run_t)
-
- logging_list_logs($1)
- admin_pattern($1, varnishlog_log_t)
--
- ')
-
- #######################################
-@@ -173,7 +190,7 @@ interface(`varnishd_admin_varnishlog',`
- interface(`varnishd_admin',`
- gen_require(`
- type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
-- type varnishd_var_run_t, varnishd_tmp_t;
-+ type varnishd_var_run_t, varnishd_tmp_t;
- type varnishd_initrc_exec_t;
- ')
-
-@@ -185,16 +202,15 @@ interface(`varnishd_admin',`
- role_transition $2 varnishd_initrc_exec_t system_r;
- allow $2 system_r;
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, varnishd_var_lib_t)
-
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, varnishd_etc_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, varnishd_var_run_t)
-
-- files_search_tmp($1)
-+ files_list_tmp($1)
- admin_pattern($1, varnishd_tmp_t)
--
- ')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index 1cc80e8..c6bf70e 100644
+index e385c83..6524574 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
-@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
+@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.1)
#
##
@@ -35774,51 +35566,31 @@ index 1cc80e8..c6bf70e 100644
##
gen_tunable(varnishd_connect_any, false)
-@@ -50,7 +50,8 @@ files_type(varnishlog_log_t)
- # varnishd local policy
- #
-
--allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+dontaudit varnishd_t self:capability sys_tty_config;
- allow varnishd_t self:process signal;
- allow varnishd_t self:fifo_file rw_fifo_file_perms;
- allow varnishd_t self:tcp_socket create_stream_socket_perms;
-@@ -69,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
- files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
-
- manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
--files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
-+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
-
- kernel_read_system_state(varnishd_t)
-
-@@ -107,7 +108,7 @@ tunable_policy(`varnishd_connect_any',`
- #
-
- manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
--files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
-+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
-
- manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
- manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
-index 0000000..bb0a79c
+index 0000000..71d9784
--- /dev/null
+++ b/policy/modules/services/vdagent.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,11 @@
++
++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
++
++/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
++/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
++
++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
++
+
-+/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
-+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..35020c8
+index 0000000..83336ab
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,39 @@
-+## The spice guest agent daemon.
+@@ -0,0 +1,93 @@
++
++## policy for vdagent
+
+
+########################################
@@ -35839,9 +35611,10 @@ index 0000000..35020c8
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
++
+########################################
+##
-+## Connect to vdagent over an unix stream socket.
++## Read vdagent PID files.
+##
+##
+##
@@ -35849,20 +35622,72 @@ index 0000000..35020c8
+##
+##
+#
++interface(`vdagent_read_pid_files',`
++ gen_require(`
++ type vdagent_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 vdagent_var_run_t:file read_file_perms;
++')
++
++#####################################
++##
++## Connect to vdagent over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`vdagent_stream_connect',`
++ gen_require(`
++ type vdagent_var_run_t, vdagent_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an vdagent environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`vdagent_admin',`
+ gen_require(`
-+ type vdagent_t, vdagent_var_run_t;
++ type vdagent_t;
++ type vdagent_var_run_t;
+ ')
+
++ allow $1 vdagent_t:process { ptrace signal_perms };
++ ps_process_pattern($1, vdagent_t)
++
+ files_search_pids($1)
-+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++ admin_pattern($1, vdagent_var_run_t)
++
+')
++
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..87d5c8c
+index 0000000..324365e
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,50 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -35872,35 +35697,47 @@ index 0000000..87d5c8c
+
+type vdagent_t;
+type vdagent_exec_t;
-+udev_system_domain(vdagent_t, vdagent_exec_t)
++init_daemon_domain(vdagent_t, vdagent_exec_t)
++
++permissive vdagent_t;
+
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
-+permissive vdagent_t;
++type vdagent_log_t;
++logging_log_file(vdagent_log_t)
+
+########################################
+#
+# vdagent local policy
+#
-+allow vdagent_t self:process { fork };
+
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
-+manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
-+manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
-+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
-+domain_use_interactive_fds(vdagent_t)
++dev_rw_input_dev(vdagent_t)
+
-+files_read_etc_files(vdagent_t)
++term_use_virtio_console(vdagent_t)
+
+miscfiles_read_localization(vdagent_t)
+
-+userdom_use_user_ptys(vdagent_t)
++optional_policy(`
++ consolekit_dbus_chat(vdagent_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(vdagent_t)
++')
++
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 1f872b5..da605ba 100644
--- a/policy/modules/services/vhostmd.if
@@ -36301,7 +36138,7 @@ index 7c5d8d8..dbdc0e0 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..500f8e9 100644
+index 3eca020..a48a862 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -36315,7 +36152,7 @@ index 3eca020..500f8e9 100644
-## Allow virt to use serial/parallell communication ports
-##
+##
-+## Allow virt to use serial/parallell communication ports
++## Allow confined virtual guests to use serial/parallel communication ports
+##
##
gen_tunable(virt_use_comm, false)
@@ -36325,7 +36162,7 @@ index 3eca020..500f8e9 100644
-## Allow virt to read fuse files
-##
+##
-+## Allow virt to read fuse files
++## Allow confined virtual guests to read fuse files
+##
##
gen_tunable(virt_use_fusefs, false)
@@ -36335,7 +36172,7 @@ index 3eca020..500f8e9 100644
-## Allow virt to manage nfs files
-##
+##
-+## Allow virt to manage nfs files
++## Allow confined virtual guests to manage nfs files
+##
##
gen_tunable(virt_use_nfs, false)
@@ -36345,7 +36182,7 @@ index 3eca020..500f8e9 100644
-## Allow virt to manage cifs files
-##
+##
-+## Allow virt to manage cifs files
++## Allow confined virtual guests to manage cifs files
+##
##
gen_tunable(virt_use_samba, false)
@@ -36355,7 +36192,7 @@ index 3eca020..500f8e9 100644
-## Allow virt to manage device configuration, (pci)
-##
+##
-+## Allow virt to manage device configuration, (pci)
++## Allow confined virtual guests to manage device configuration, (pci)
+##
##
gen_tunable(virt_use_sysfs, false)
@@ -36365,14 +36202,14 @@ index 3eca020..500f8e9 100644
-## Allow virt to use usb devices
-##
+##
-+## Allow virtual machine to interact with the xserver
++## Allow confined virtual guests to interact with the xserver
+##
+##
+gen_tunable(virt_use_xserver, false)
+
+##
+##
-+## Allow virt to use usb devices
++## Allow confined virtual guests to use usb devices
+##
##
gen_tunable(virt_use_usb, true)
@@ -38171,7 +38008,7 @@ index da2601a..4b06508 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..eb4294e 100644
+index e226da4..1ada171 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -38199,14 +38036,14 @@ index e226da4..eb4294e 100644
+##
##
-## Allow xdm logins as sysadm
-+## Allows xdm to execute bootloader
++## Allow the graphical login program to execute bootloader
##
##
+gen_tunable(xdm_exec_bootloader, false)
+
+##
+##
-+## Allow xdm logins as sysadm
++## Allow the graphical login program to login directly as sysadm_r:sysadm_t
+##
+##
gen_tunable(xdm_sysadm_login, false)
@@ -40425,7 +40262,7 @@ index 408f4e6..55c2d03 100644
auth_rw_login_records(getty_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 1fd31c1..683494c 100644
+index 1fcd657..52063bc 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t)
@@ -40447,17 +40284,6 @@ index 1fd31c1..683494c 100644
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-@@ -55,6 +58,10 @@ sysnet_read_config(hostname_t)
- sysnet_dns_name_resolve(hostname_t)
-
- optional_policy(`
-+ nis_use_ypbind(hostname_t)
-+')
-+
-+optional_policy(`
- xen_append_log(hostname_t)
- xen_dontaudit_use_fds(hostname_t)
- ')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9775375..41a244a 100644
--- a/policy/modules/system/init.fc
@@ -40494,7 +40320,7 @@ index 9775375..41a244a 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..b123b4a 100644
+index df3fa64..36da732 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -40563,7 +40389,7 @@ index df3fa64..b123b4a 100644
')
application_domain($1,$2)
-@@ -345,6 +368,19 @@ interface(`init_system_domain',`
+@@ -345,6 +368,20 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -40579,11 +40405,12 @@ index df3fa64..b123b4a 100644
+ allow init_t $1:process siginh;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
++ dontaudit $1 init_t:unix_stream_socket { read getattr ioctl };
+ ')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +389,37 @@ interface(`init_system_domain',`
+@@ -353,6 +390,37 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -40621,7 +40448,7 @@ index df3fa64..b123b4a 100644
')
########################################
-@@ -687,19 +754,24 @@ interface(`init_telinit',`
+@@ -687,19 +755,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -40647,7 +40474,7 @@ index df3fa64..b123b4a 100644
')
')
-@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +845,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -40671,7 +40498,7 @@ index df3fa64..b123b4a 100644
')
')
-@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,23 +873,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -40721,7 +40548,7 @@ index df3fa64..b123b4a 100644
## Execute a init script in a specified domain.
##
##
-@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',`
+@@ -867,8 +963,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -40734,7 +40561,7 @@ index df3fa64..b123b4a 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1229,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -40748,7 +40575,7 @@ index df3fa64..b123b4a 100644
')
########################################
-@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1469,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -40776,7 +40603,7 @@ index df3fa64..b123b4a 100644
## init scripts over dbus.
##
##
-@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1576,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -40802,7 +40629,7 @@ index df3fa64..b123b4a 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1808,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -40811,7 +40638,7 @@ index df3fa64..b123b4a 100644
')
########################################
-@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1883,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -40886,8 +40713,27 @@ index df3fa64..b123b4a 100644
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
++
++########################################
++##
++## Send a message to init over a unix domain
++## datagram socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dgram_send',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_dgram_socket sendto;
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..fda765f 100644
+index 8a105fd..2981ece 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -41094,8 +40940,8 @@ index 8a105fd..fda765f 100644
+ files_manage_generic_tmp_dirs(init_t)
+ files_relabelfrom_tmp_dirs(init_t)
+ files_relabelfrom_tmp_files(init_t)
-+ files_relabelto_all_tmp_dirs(init_t)
-+ files_relabelto_all_tmp_files(init_t)
++ files_relabel_all_tmp_dirs(init_t)
++ files_relabel_all_tmp_files(init_t)
+
+ auth_manage_faillog(init_t)
+ auth_relabel_faillog(init_t)
@@ -43009,51 +42855,11 @@ index 86ef2da..7f649d5 100644
modutils_domtrans_insmod(lvm_t)
')
-diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 7711464..a8bd9fe 100644
---- a/policy/modules/system/miscfiles.fc
-+++ b/policy/modules/system/miscfiles.fc
-@@ -10,7 +10,9 @@ ifdef(`distro_gentoo',`
- #
- /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- /etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-+/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
- /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
-
- ifdef(`distro_redhat',`
- /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -75,13 +77,11 @@ ifdef(`distro_redhat',`
- /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
- /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
--/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
--
- /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
--/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-+/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
-
--/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
-+/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-
- ifdef(`distro_debian',`
- /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fe4e741..1dfa62a 100644
+index 926ba65..1dfa62a 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
-@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',`
- allow $1 locale_t:dir list_dir_perms;
- read_files_pattern($1, locale_t, locale_t)
- read_lnk_files_pattern($1, locale_t, locale_t)
--
-- # why?
-- libs_read_lib_files($1)
- ')
-
- ########################################
-@@ -585,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
+@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
########################################
##
@@ -43081,10 +42887,10 @@ index fe4e741..1dfa62a 100644
## transfer services.
##
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index c51f7f5..59c70bf 100644
+index 2cb10d4..6c33b3b 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.1)
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.2)
#
# Declarations
#
@@ -43092,14 +42898,6 @@ index c51f7f5..59c70bf 100644
attribute cert_type;
#
-@@ -12,6 +11,7 @@ attribute cert_type;
- #
- type cert_t;
- miscfiles_cert_type(cert_t)
-+
- #
- # fonts_t is the type of various font
- # files in /usr
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..def8d5a 100644
--- a/policy/modules/system/modutils.if
@@ -43497,7 +43295,7 @@ index 8b5c196..b195f9d 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..5dadaa8 100644
+index 6fe8471..be5821a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -43547,7 +43345,7 @@ index fca6947..5dadaa8 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,50 +68,85 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,8 +68,23 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -43564,12 +43362,14 @@ index fca6947..5dadaa8 100644
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
--kernel_dontaudit_getattr_core_if(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
-
+ kernel_dontaudit_getattr_core_if(mount_t)
+ kernel_dontaudit_write_debugfs_dirs(mount_t)
+ kernel_dontaudit_write_proc_dirs(mount_t)
+@@ -55,46 +92,68 @@ kernel_dontaudit_write_proc_dirs(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -43579,13 +43379,17 @@ index fca6947..5dadaa8 100644
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
+ dev_read_sysfs(mount_t)
+ dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
++
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
+')
++
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
@@ -43615,7 +43419,7 @@ index fca6947..5dadaa8 100644
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
-+files_write_all_dirs(mount_t)
+ files_dontaudit_write_root_dirs(mount_t)
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
@@ -43630,17 +43434,17 @@ index fca6947..5dadaa8 100644
fs_rw_tmpfs_chr_files(mount_t)
+fs_rw_nfsd_fs(mount_t)
+fs_rw_removable_blk_files(mount_t)
-+fs_manage_tmpfs_dirs(mount_t)
++#fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
+ fs_dontaudit_write_tmpfs_dirs(mount_t)
mls_file_read_all_levels(mount_t)
- mls_file_write_all_levels(mount_t)
-@@ -100,6 +157,7 @@ storage_raw_read_fixed_disk(mount_t)
+@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -43648,7 +43452,7 @@ index fca6947..5dadaa8 100644
term_use_all_terms(mount_t)
-@@ -108,6 +166,8 @@ auth_use_nsswitch(mount_t)
+@@ -114,6 +174,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -43657,7 +43461,7 @@ index fca6947..5dadaa8 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +178,12 @@ sysnet_use_portmap(mount_t)
+@@ -124,6 +186,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -43670,7 +43474,7 @@ index fca6947..5dadaa8 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +199,17 @@ ifdef(`distro_ubuntu',`
+@@ -139,10 +207,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -43688,7 +43492,7 @@ index fca6947..5dadaa8 100644
')
optional_policy(`
-@@ -166,6 +239,8 @@ optional_policy(`
+@@ -172,6 +247,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -43697,7 +43501,7 @@ index fca6947..5dadaa8 100644
')
optional_policy(`
-@@ -173,6 +248,28 @@ optional_policy(`
+@@ -179,6 +256,28 @@ optional_policy(`
')
optional_policy(`
@@ -43726,7 +43530,7 @@ index fca6947..5dadaa8 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +277,44 @@ optional_policy(`
+@@ -186,13 +285,44 @@ optional_policy(`
')
')
@@ -43771,7 +43575,7 @@ index fca6947..5dadaa8 100644
')
########################################
-@@ -195,6 +323,42 @@ optional_policy(`
+@@ -201,6 +331,42 @@ optional_policy(`
#
optional_policy(`
@@ -48625,9 +48429,18 @@ index 35f1476..d74e327 100644
+ type_transition $1 user_tmp_t:process $2;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index a7088c6..5119d1e 100644
+index a7088c6..2c840bc 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
+@@ -7,7 +7,7 @@ policy_module(userdomain, 4.4.4)
+
+ ##
+ ##
+-## Allow users to connect to mysql
++## Allow users to connect to the local mysql server
+ ##
+ ##
+ gen_tunable(allow_user_mysql_connect, false)
@@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false)
##
@@ -48992,14 +48805,14 @@ index 22ca011..df6b5de 100644
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index effb6c5..cabc009 100644
+index f7380b3..cabc009 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
--define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c5a81d..8bc25c2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.9
-Release: 4%{?dist}
+Version: 3.9.10
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Thu Nov 25 2010 Miroslav Grepl 3.9.10-1
+- Update to upstream
+- Cleanup for sandbox
+- Add attribute to be able to select sandbox types
+
* Mon Nov 22 2010 Miroslav Grepl 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
diff --git a/sources b/sources
index f202373..56f19d9 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
409b40c8102b1617681ba17c31032e66 config.tgz
-24888445b1086e411acfa24c592cc65a serefpolicy-3.9.9.tgz
+1deb2db0ad303b26fc44b5c7f7497c32 serefpolicy-3.9.10.tgz